[BR]: nginx-http-auth filter does not match because of two subsequent timestamps from systemd-journald and nginx about fail2ban HOT 2 CLOSED

the error log can not be changed in nginx and it always adds a timestamp to the error message

Imho, it depends on how the log-forwarding to syslog in configured.

Changing the start of the expression from ^\s*[error] to ^.*[error] resolves this problem and the filter matches.

This is ugly workaround, since the RE becomes vulnerable due to broken anchor - because ^.* is quasi the same as if it were missing, so no anchor anymore and REs may match everywhere (also against a user input with an "injection" attempt), additionally it becomes very slow, especially on long messages, since it must search the whole message.

Anyway for people having that format here is interim workaround:

- mdre-auth = ^\s*\[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
+ mdre-auth = ^\s*(?:(?!\[)\S+ nginx\[\d+\]: [^\[]*)?\[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
- mdre-fallback = ^\s*\[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed \(SSL: error:\S+(?: \S+){1,3} too (?:long|short)\)[^,]*, client: <HOST>
+ mdre-fallback = ^\s*(?:(?!\[)\S+ nginx\[\d+\]: [^\[]*)?\[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed \(SSL: error:\S+(?: \S+){1,3} too (?:long|short)\)[^,]*, client: <HOST>

(part (?:(?!\[)\S+ nginx\[\d+\]: [^\[]*)? would optionally match systemd prefix with also optional additional timestamp)

from fail2ban.

Thanks a lot for the quick resolution. I suspected that my workaround is a dirty hack.

from fail2ban.