-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BR]: latency limit needs to be configurable per jail #3450
Comments
Why? I mean what is the goal of such parameter? To silent warning? Hmm... This subject was extensively discussed in #2882 (starting somewhere from #2882 (comment)). It is not clear too me, which pros we'll get implementing option like this.
This could be surely changed on httpd side (no idea whether it is configurable by apache), e. g. why not log both times, time of response (as event time) and time of request. |
Monitoring software should not generate ominous-looking warnings about things that are not actually error conditions. When I see alerts about problematic timestamps in logs, I think there's something wrong that I need to fix. In fact there isn't, and I shouldn't have to waste my time investigating to determine that, and neither should other admins. "Just ignore the warnings, they're not important," is not a good answer. If they're not important then why are you printing them? They sure sound important! They sound like something's not working properly and we need to fix it! In fact, they say, explicitly, that something's not working properly and we need to fix it! If this were configurable then you could change the Apache httpd configuration that you ship to prevent these warnings for httpd without degrading how timestamps are handled for other applications that generate logs.
It's not reasonable to suggest that the maintainers of httpd should change how/what they log to prevent fail2ban from generating spurious warnings. They consider what they're logging to be correct. Fail2ban should be able to cope with that. |
Because it is important. "Just ignore the warning" means in that case, do it if you understand the consequences and it is not important for you. Also note that if such latency option would be implemented, it will be 0 by default.
They should not. |
Couple comments:
|
Environment:
The issue:
Currently the time limit past which a log entry is considered to have an "odd" timestamp is hard-coded as 60 seconds in filter.py. This should be configurable per-jail.
Steps to reproduce
This is just one example of why this needs to be configurable: Apache httpd logs the timestamp of when a request started being processed, not when it finished being processed, but it doesn't write the log entry to the log file until the request is finished, so if the web server is running slowly or processing a complicated request that takes more than a minute, fail2ban will think the log entry for it has a bad timestamp.
Expected behavior
I should be able to configure a particular jail to allow timestamps to be older than a minute without fail2ban complaining about them.
Observed behavior
The timestamp is hard-coded at 60 seconds so I can't reconfigure it, and as a result logwatch complains to me every night about a bunch of fail2ban log entries for bad timestamps.
Any additional information
Configuration, dump and another helpful excerpts
Any customizations done to /etc/fail2ban/ configuration
Relevant parts of /var/log/fail2ban.log file:
Relevant lines from monitored log files:
The text was updated successfully, but these errors were encountered: