Fail2ban: Multiple Logpaths prevent starting when action_mwl is used

can you try to check this issue, if you replace in jail.conf in any expressions, like action_mwl, action__xarf etc:
logpath=%(logpath)s
through
logpath="%(logpath)s"

Testing 0.9.1-1 (Debian Sid) with default rule of

[php-url-fopen]
enabled = true
port = http,https
logpath = %(nginx_access_log)s %(apache_access_log)s

changing the logpath to

logpath = "%(nginx_access_log)s %(apache_access_log)s"

has no effect, same error/issue.

No, I mean not that you did. The logpath in jails should not be changed, but logpath in expression for action_mwl, action_xarf etc.

Here an example:

action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

should be:

action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

Ah fair point.

yes fail2ban starts with this fix but only if the logpath in the jail is in the form:

logpath = /some/path/file.log /a/completely/different/path/file.log

and not:

logpath = /some/path/file.log
           /a/completely/different/path/file.log

the problem with having them in-line is the jail itself is not setup properly, running:

/usr/bin/fail2ban-client status my-jail

results in

Status for the jail: my-jail
|- filter
|  |- File list:    
|  |- Currently failed: 0
|  `- Total failed: 0
`- action
   |- Currently banned: 0
   |  `- IP list:   
   `- Total banned: 0

Notice File list is empty.

No, at the moment multiple log-files in logpath can be specified using newline only.

The problem is both logpath and action are strings, that in JailReader (after completelly substitution) will be splitted by newline. Therefore at the moment it's not possible to use multiple logfiles as argument for an action.
So as result of substitution (before split) we will have something like:

iptables-multiport[name=test, bantime="600", port="0:65535", protocol="tcp", chain="INPUT"]
sendmail-whois-lines[name=test, dest="root@localhost", logpath="1st.log
2nd.log", chain="INPUT"]

So if this will be splitted using '\n' as separator, we will have 3 lines (as a result 3 actions), and the second/third are broken.
I don't think, that is easy to fix it without rewriting of config parser substitution or without implementing of expensive escaping inside JairReader.

As a workaround you can use %(action_mw)s instead of %(action_mwl)s (but it will send mails without lines). Or you can try to redefine action for this jail using the same expression like a %(action_mwl)s, but without logpath=... argument (don't know will work without it).

Apart from that, I don't know the sendmail-whois-lines action accepts multiple logpath inside.

Instead of sendmail-whois-lines you can use a sendmail-whois-matches action, that sends failure lines (matches) also, but does not need a log file at all.

Okay i've created a new action rule (does that look correct to you):

action_mwm = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-matches[name=%(__name__)s, dest="%(destemail)s" chain="%(chain)s"]

and set the action to that
will see what it outputs

Looks not bad, but I beleve ...-whois-matches, ...-whois-ipmatches and ...-whois-ipjailmatches not exist for mail (sendmail only). So substitution %(mta)s-... will not works if as mail configured.
Second, I don't know about chain="%(chain)s" in this regard.

Yep it seems to work. mta is set sendmail even though im using postfix. The current sendmail-whois-matches.conf action file from commit 549ab24:
https://github.com/fail2ban/fail2ban/tree/549ab24e70effef2901edd9d4684661cb6e4f54a/config/action.d/sendmail-whois-matches.conf
will work with 0.8.6-3wheezy3

Negative on jessie :(

What about abc0756 from #727? It worked but it t somehow was not implemented into master.

@helonaut have your tried the using the sendmail-whois-matches.conf action file, creating the new action

action_mwm = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-matches[name=%(__name__)s, dest="%(destemail)s" chain="%(chain)s"]

and setting your action line to:

action = %(action_mwm)s

or have your set your mta to just mail?

Then you can have sections including lines like:

logpath  = /var/log/apache*/*access.log
           /var/www/vhosts/*/logs/access*log

I'll try these when I have some time on my hands (deadlines at work currently)... I've just settled for action_mw in the meanwhile. If I really need the lines, I'll just login to SSH to check out what's up.
But thanks for the input, lines directly in email would be better by far !

Not 100% the same as _mwl but it works. Tested with 0.9.2 on debian wheezy.

You missed one "," between sender and chain, correct definition is

action_mwm = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-matches[name=%(__name__)s, dest="%(destemail)s", chain="%(chain)s"]

Is this going to be addressed? I ran into the same issue...

+1

As for action_mwl, as already noticed in https://github.com/fail2ban/fail2ban/issues/976#issuecomment-76224319, it was impossible to supply multi-line option (logpath) to multi-line parameter (action).
Just because each new-line for action parameter means simply new action (actions are split by new-line).

Good news - I found a way to provide this possibility now, so fixed in e651bc7866f7c0cc32db1fe01d7c93abebd303c5.
This will be released with next 0.10/0.11 version.

For older versions possibly a workaround with <br> tag may solve this (without engagement):

logpath = /var/log/nginx/*error.log <br>/var/log/nginx/*/error.log