FreePBX logs - change date format


(Nielsl) #1

Hi All,

Currently FreePBX logs in the /var/log/asterisk/freepbx_security.log file the dates in the following format:

[2020-Nov-10 16:13:41] [freepbx_security.NOTICE]: Authentication failure for S from 1.2.3.4 [] []

Is there a way to change the date format to be the same as asterisk applies in the /var/log/asterisk/full format? That dateformat is as such:

[2020-11-10 10:40:50] NOTICE[1673] chan_sip.c: Peer ‘99200’ is now Reachable. (25ms / 2000ms)

I have already updated the “Date and Time Format” under “Advanced Settings” to YYYY-MM-DD HH:mm:ss, as well as %F %T, similar to the standard under the “Asterisk Logfile Settings”. I’m probably overlooking where I can change this, can somebody point me into the right direction?

Thanks


(Luconedj) #2

Hi My friend,
Same problems here but,
After 1 night trying to search relevant infos about it in the web and in ALL THE SOURCE, I guess I’ve managed to overcame to this with a WAS in PHP code…
Just edit the dateformatter in /your_freepbx_web_root/admin/libraries/BMO/Logger.class.php
Search for:
$dateFormat = “Y-M-d H:i:s”;
Change as needed…
E.g
2020-09-14 00:55:00 -> $dateFormat = “Y-m-d H:i:s”;
Hope this help and someone implement this simple change in the UI.
Br,
Luca


#3

Interesting, the dateformat is normally a ‘general’ setting not log specific, In the GUI under logfile settings->date format what do you have ? Is that overwriten anywhere in your /etc/asterisk/log*.conf files ?

grep -ri dateformat /etc/asterisk/log*


(Luconedj) #4

Hello @dicko,
Here is the answer:
quote=“dicko, post:3, topic:71418”]
grep -ri dateformat /etc/asterisk/log*
[/quote]

$ grep -ri dateformat /etc/asterisk/log*
/etc/asterisk/logger.conf.dpkg-new:;dateformat=%F %T ; ISO 8601 date format
/etc/asterisk/logger.conf.dpkg-new:;dateformat=%F %T.%3q ; with milliseconds
/etc/asterisk/logger_general_additional.conf:dateformat=%F %T

And from GUI:


Thank you,
Luca.


#5

Yes, that log file is hardcoded as to timestamp, you could file a feature request for it to instead more logically follow the settings in the logfile page or suffer the warnings about failed signatures, but is it only a cosmetic thing that causes this angst?


(Luconedj) #6

Hi @dicko,
Thanks for your feedback.
My thought was add a fail2ban filter in freepbx log “in the easy way” since Y-M-d is not parsed out of the box.
I’m not so confident with regex :slight_smile:.
In any case, is there a way to force signature in order to avoid the annoying warning in the dashboard?
Alternatively, could you please address me to a simple way to add fail2ban filter on failed login attempts on the web GUI of freepbx?
Thank you very much!
Luca


#7

I believe you will find that fail2ban understands many formats for timestamps ‘out of the box’ you just need to isolate the <HOST> in your regexes after the ‘prefix’

https://fail2ban.readthedocs.io/en/latest/filters.html


(Luconedj) #8

Yes,
Unfortunately that kind of format is not recognised…
I tried to format a correct prefix regex with no success hahaha.
Anyway, I’ll try to deep understand the fail2ban logic in order to adapt.
Thanks again.
Luca


#9

you might want to use a current version of fail2ban, I believe .10 would recognize it

Or perhaps add

datepattern = ^\[%%Y-%%b-%%D %%H:%%M:%%S\]

to your jail if supported.


(Nielsl) #10

Adding a date pattern indeed resolved it. I came to the same conclusion a day after I posted. I am running FreePBX on a Ubuntu18.04 LTS with fail2ban installed from the repos, I dont want to manually override the repositories.

In order to have Fail2ban also check the freepbx_security.log file I have added an additional jail, and added the below file to the filter.d folder. For me, this works like a charm

# Fail2Ban configuration file
#
#
# $Revision: 251 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
# Asterisk 1.8 uses Host:Port format which is reflected here

failregex = \[freepbx_security\.NOTICE\]: Authentication failure for .* from <HOST> \[\] \[\]

datepattern = ^\[%%Y-%%b-%%d %%H:%%M:%%S\]


# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

(Luconedj) #11

Hi @nielsl1985 and @dicko,
Datepattern in the jail works like a charm !
Thanks,
Luca