From 3152afbdc2bbcf680fc400de22221f8ba1f76f35 Mon Sep 17 00:00:00 2001
From: Adam Spiers <fail2ban@adamspiers.org>
Date: Sun, 25 Sep 2011 12:58:13 +0100
Subject: [PATCH] Recognise time-stamped kernel messages

e.g.

Sep 25 12:51:04 myhost kernel: [773580.832329] sshd[25557]: Invalid user pgsql from 91.203.223.206

This fixes the sshd filter on Fedora 15, and probably other filters on
other newish distros too.
---
 config/filter.d/common.conf | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/config/filter.d/common.conf b/config/filter.d/common.conf
index b580c78d..18bf41c5 100644
--- a/config/filter.d/common.conf
+++ b/config/filter.d/common.conf
@@ -32,10 +32,16 @@ __daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?
 # EXAMPLES: sshd[31607], pop(pam_unix)[4920]
 __daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
 
+# Some messages have a kernel prefix with a timestamp
+# EXAMPLES: kernel: [769570.846956]
+__kernel_prefix = kernel: \[\d+\.\d+\]
+
+__hostname = \S+
+
 #
 # Common line prefixes (beginnings) which could be used in filters
 #
 #       [hostname] [vserver tag] daemon_id spaces
 # this can be optional (for instance if we match named native log files)
-__prefix_line = \s*(?:\S+ )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*
+__prefix_line = \s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*