# Fail2Ban stops working when logs are rotated



## Mayhem30 (Nov 27, 2016)

I'm using security/py-fail2ban to stop some attacks on my mail server. It's working great right up until my mail log is auto rotated.

Once that happens, the fail2ban.log file shows this :

```
2016-11-27 00:00:00,060 fail2ban.filter         [53833]: INFO    Log rotation detected for /var/log/maillog
```
After that, no more fail2ban.log entries are recorded and Fail2Ban no longer does anything until I restart it.

Any suggestions on how to fix this issue?


----------



## uzsolt (Nov 28, 2016)

Please check (part of) my /etc/newsyslog.conf:

```
/var/log/fail2ban.log           640  3     100  *  J    /var/run/fail2ban/fail2ban.pid  30
```
Please note the last two field: `path_to_pid_cmd_file` and `signal`. Check newsyslog.conf() for details!

Edit: sorry, I misunderstood you. I think you can use similar with your maillog (with `fail2ban`-restart), I hope it helps you.


----------



## Mayhem30 (Nov 28, 2016)

uzsolt said:


> I think you can use similar with your maillog (with  fail2ban-restart), I hope it helps you.



I'm not sure I understand what you mean by that.


----------



## uzsolt (Nov 29, 2016)

```
/var/log/maillog ... /var/run/fail2ban/fail2ban.pid  30
```
I think in this case the `fail2ban` will restart when /var/log/maillog rotates.


----------



## Mayhem30 (Dec 5, 2016)

No, that didn't work for me.

I must be doing something wrong ... as I just can't see why Fail2Ban stops working when any log file is rotated. Once that happens, Fail2Ban "stalls" and does absolutely nothing until it's restarted.

No one else is having this issue?


----------



## OlivierW (Dec 6, 2016)

Hello,


Mayhem30 said:


> No one else is having this issue?


The logs rotation detection works for us, I didn't configure anything special to make it work.


----------



## Mayhem30 (Dec 8, 2016)

This is the debug file for when it stop working :

```
2016-12-08 00:00:00,071 fail2ban.filterpyinotify[1586]: DEBUG   Default Callback for Event: <Event cookie=4334241 dir=False mask=0x80 maskname=IN_MOVED_TO name=maillog.3.bz2 path=/var/log pathname=/var/log/maillog.3.bz2 wd=13 >
2016-12-08 00:00:00,071 fail2ban.filterpyinotify[1586]: DEBUG   Ignoring creation of /var/log/maillog.3.bz2 we do not monitor
2016-12-08 00:00:00,071 fail2ban.filterpyinotify[1586]: DEBUG   Default Callback for Event: <Event cookie=4334127 dir=False mask=0x80 maskname=IN_MOVED_TO name=maillog.2.bz2 path=/var/log pathname=/var/log/maillog.2.bz2 wd=13 >
2016-12-08 00:00:00,071 fail2ban.filterpyinotify[1586]: DEBUG   Ignoring creation of /var/log/maillog.2.bz2 we do not monitor
2016-12-08 00:00:00,072 fail2ban.filterpyinotify[1586]: DEBUG   Default Callback for Event: <Event cookie=4333984 dir=False mask=0x80 maskname=IN_MOVED_TO name=maillog.1.bz2 path=/var/log pathname=/var/log/maillog.1.bz2 wd=13 >
2016-12-08 00:00:00,072 fail2ban.filterpyinotify[1586]: DEBUG   Ignoring creation of /var/log/maillog.1.bz2 we do not monitor
2016-12-08 00:00:00,072 fail2ban.filterpyinotify[1586]: DEBUG   Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/maillog pathname=/var/log/maillog wd=14 >
2016-12-08 00:00:00,072 fail2ban.filter         [1586]: INFO    Log rotation detected for /var/log/maillog
2016-12-08 00:00:00,072 fail2ban.datedetector   [1586]: DEBUG   Matched time template (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2016-12-08 00:00:00,072 fail2ban.datedetector   [1586]: DEBUG   Got time 1481184000.000000 for "u'Dec  8 00:00:00'" using template (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2016-12-08 00:00:00,078 fail2ban.datedetector   [1586]: DEBUG   Sorting the template list
2016-12-08 00:00:00,078 fail2ban.datedetector   [1586]: DEBUG   Winning template: (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? with 3010 hits
2016-12-08 00:00:00,078 fail2ban.filterpyinotify[1586]: DEBUG   Default Callback for Event: <Event dir=False mask=0x100 maskname=IN_CREATE name=maillog.0 path=/var/log pathname=/var/log/maillog.0 wd=13 >
2016-12-08 00:00:00,078 fail2ban.filterpyinotify[1586]: DEBUG   Ignoring creation of /var/log/maillog.0 we do not monitor
2016-12-08 00:00:00,078 fail2ban.filterpyinotify[1586]: DEBUG   Default Callback for Event: <Event dir=False mask=0x100 maskname=IN_CREATE name=maillog path=/var/log pathname=/var/log/maillog wd=13 >
2016-12-08 00:00:00,078 fail2ban.filterpyinotify[1586]: DEBUG   Removed file watcher for /var/log/maillog
2016-12-08 00:00:00,079 fail2ban.filterpyinotify[1586]: DEBUG   Added file watcher for /var/log/maillog
2016-12-08 00:00:00,080 fail2ban.datedetector   [1586]: DEBUG   Sorting the template list
2016-12-08 00:00:00,080 fail2ban.datedetector   [1586]: DEBUG   Winning template: (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? with 3010 hits
2016-12-08 00:00:00,080 fail2ban.filterpyinotify[1586]: DEBUG   Default Callback for Event: <Event dir=False mask=0x8000 maskname=IN_IGNORED name='' path=/var/log/maillog pathname=/var/log/maillog wd=14 >
2016-12-08 00:00:00,082 fail2ban.datedetector   [1586]: DEBUG   Sorting the template list
2016-12-08 00:00:00,082 fail2ban.datedetector   [1586]: DEBUG   Winning template: (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? with 3010 hits
2016-12-08 00:00:10,157 fail2ban.filterpyinotify[1586]: DEBUG   Default Callback for Event: <Event dir=False mask=0x100 maskname=IN_CREATE name=maillog.0.bz2 path=/var/log pathname=/var/log/maillog.0.bz2 wd=13 >
2016-12-08 00:00:10,158 fail2ban.filterpyinotify[1586]: DEBUG   Ignoring creation of /var/log/maillog.0.bz2 we do not monitor
```
Then it just stops working .. 7 minutes later I stopped / started Fail2Ban and it works again.

```
2016-12-08 00:06:59,764 fail2ban.transmitter    [1586]: DEBUG   Command: ['stop']
2016-12-08 00:06:59,765 fail2ban.asyncserver    [1586]: DEBUG   Removed socket file /var/run/fail2ban/fail2ban.sock
2016-12-08 00:06:59,765 fail2ban.asyncserver    [1586]: DEBUG   Socket shutdown
2016-12-08 00:06:59,765 fail2ban.server         [1586]: INFO    Stopping all jails
2016-12-08 00:06:59,765 fail2ban.server         [1586]: DEBUG   Stopping jail postfix
2016-12-08 00:07:00,151 fail2ban.actions        [1586]: DEBUG   Flush ban list
```
In my newsyslog.conf file, I have it set to save up to 4 backups.

```
/var/log/messages                       644  4     100  @0101T JC
```
Any ideas? Do you think the backups are messing things up?


----------

