Quote:
Originally Posted by elgrandeperro
That is NOT how apache logs work. They don't open/close the file for each connection, they keep the fd open. So when for instance you rotate the files, most likely the other apaches are going to write into the old file. and chaos will ensue.
You can insert what you want into the apache log file, you would just write a filter in fail2ban to trigger the action. I guess I don't understand your comment perhaps.
One way to unify your fail2ban you can forward the apache logs using syslog to a central server. That server can interpret the log files and push out the fail2ban commands to all your servers. The syslog server can either watch each log or a unified one. There is no problem with "sharing" syslog that you would have with an nfs mount. The only commands it probably need to push is one to ban and ip and one to unban and ip, since the management would be a unified instance.
|
Thanks for your reply.
You have confirmed what I had assumed was must likely the stituation.
From observation of Linux behaviour I was sure if the log files were opened written to and then closed for each entry, or what appeared to be the more likely that they were opened when the application started and closed when the application was closed or restarted.
From many year ago I had the feeling that Unix and most likely Linux used file ID's rather than names to access files and therefore changing a file name or even moving it made no difference to an application accessing the file.
I will now need to review my approach to this concept and find an alternative approach.
Thank you once again for responding.