Fail2Ban4Win icon indicating copy to clipboard operation
Fail2Ban4Win copied to clipboard
verified publisher icon Aldaviva

Quick question - custom title in the logs

Open Ozkovacs opened this issue 6 months ago • 5 comments

Hi there! Me again, with all my weird questions....

I have my mail server create Windows event logs when certain types of events happen. Fail2Ban4Win catches these perfectly and handles the bans like a charm. Currently, all the logs are like this: Info - 2025-09-08T09:19:09.216-04:00 - EventLogListenerImpl - Authentication failure detected from 111.61.97.5 (log="Application", event=1000, source="MailEnableSMTP")

I was wondering if it would be possible to add a property in the configuration.json file so the log can contain a specific text when it finds a matching event.

Something in the line of this: { "logName": "Application", "source": "MailEnableSMTP", "eventId": 1002, "ipAddressPattern": "Reconnaissance scanning detected from IP: (?<ipAddress>(?:\d{1,3}\.){3}\d{1,3}) at", "customMsg": "Reconnaissance scanning detected" }

So, I could have something like this in the logs: Info - 2025-09-08T09:19:09.216-04:00 - EventLogListenerImpl - Reconnaissance scanning detected from 111.61.97.5 (log="Application", event=1000, source="MailEnableSMTP")

Nothing major or too important - this is just a suggestion so it's easier to follow what is going on when scanning the log.

Cheers!

Ozkovacs avatar Sep 08 '25 15:09 Ozkovacs

In the meantime, I'll just create different event types, which are listed as the "source" in the logs ...but if you plan to add a custom message, I'd be really happy 😄 ...however, I did find this workaround for now.

Cheers!

Ozkovacs avatar Sep 08 '25 18:09 Ozkovacs

Oh! This brings a question. Will an IP identified in a different "source" still count globaly, or will this be counted separately (per source) to decide when to enable a FW rule? I don't think it changes things too much in my case, but just making sure I understand how this would work.

Thanks, and sorry about all this babling and these questions...

Ozkovacs avatar Sep 08 '25 19:09 Ozkovacs

  • To clarify, you're requesting a configurable message which is different per each individual event selector object in the configuration, rather than one single program-wide custom message shared by all detection messages?
  • IP addresses identified across selectors are indeed all counted together cumulatively, not separately per selector. For example, if an IP address fails to authenticate to both your SMTP server and your SSH server, it will be banned after just as many failures as if it had only hit your SMTP server.

Aldaviva avatar Sep 09 '25 01:09 Aldaviva

Good day @Aldaviva Yes, you got this correct about the configurable message "per selector". Again, I found a workaround, but that could be handy.

Thanks for the clarification about the IP address identified across selectors - It's what made the most sense to me, but I wanted to validate if I got it right.

Cheers!

Ozkovacs avatar Sep 09 '25 13:09 Ozkovacs

I have added a new property to the EventLogSelector called selectorName. You can set its value to a custom string and it will appear in the log message from EventLogListenerImpl when an event is matched. By default, this property is null for backwards compatibility with old configuration files.

configuration.json

{
	"eventLogSelectors": [
		{
			"selectorName": "Remote Desktop Services",
			"logName": "Security",
			"eventId": 4625,
			"ipAddressEventDataName": "IpAddress"
		}
	]
}

Fail2Ban4Win.log

Info - 2025-10-13T14:47:26.000-07:00 - EventLogListenerImpl - Authentication failure detected from 1.2.3.4 using selector Remote Desktop Services (log=Security, event=4625, source=Microsoft Windows security auditing.)

You can try this out using the latest build of the master branch (or by compiling it yourself). Let me know if it works and if it solves this item.

Aldaviva avatar Oct 13 '25 21:10 Aldaviva