journalctl:无法过滤 ownCloud 日志行,fail2ban 不会禁止

journalctl:无法过滤 ownCloud 日志行,fail2ban 不会禁止

使用常规 journalctl 命令,感兴趣的日志行会出现:

[root@bee server]# journalctl -n
-- Logs begin at Mon 2015-01-26 19:44:33 EET, end at Wed 2015-06-10 21:41:12 EEST. --
...
Jun 10 21:41:12 bee ownCloud[25476]: {core} Login failed: 'ewrf' (Remote IP: '172.16.0.2', X-Forwarded-For: '')

我怎样才能ownCloud使用该选项到达这一行-u,又名_SYSTEMD_UNIT

[root@bee server]# journalctl -u ownCloud
-- Logs begin at Mon 2015-01-26 19:44:33 EET, end at Wed 2015-06-10 22:01:02 EEST. --

我需要在 fail2ban 相关的 owncloud 过滤文件中指定 journalmatch 变量。

[root@bee server]# cat /etc/fail2ban/filter.d/owncloud-login.conf
[Definition]
failregex = {"app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}

Ignoreregex =
[Init]

# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10

journalmatch = _SYSTEMD_UNIT=ownCloud

我可以使用正则表达式吗?如何使用?

$man journalctl
...
-u, --unit=UNIT|PATTERN
           Show messages for the specified systemd unit UNIT (such as a service unit), or for any of the units matched by PATTERN. If a pattern is specified, a list of
           unit names found in the journal is compared with the specified pattern and all that match are used. For each unit name, a match is added for messages from
           the unit ("_SYSTEMD_UNIT=UNIT"), along with additional matches for messages from systemd and messages about coredumps for the specified unit.
...

答案1

我在 ArchLinux 上拥有一个运行在 uWSGI/Nginx 下的云,而我的 journalctl 条目显示uwsgi实际的系统单元名称是[电子邮件保护]。您应该能够使用以下命令找出正确的系统单元名称。该命令将找到与通配符单元名称匹配的单个条目,然后以 JSON 格式输出。

journalctl -u *ownCloud* -n 1 --output json --no-pager

相关内容