I don't think rsyslog is what I'm looking for. I configured TVHeadend to log to a file like this:
mkdir -p /var/log/tvheadend
chmod -R 755 /var/log/tvheadend
chown -R hts /var/log/tvheadend
TVHEADEND_ERROR_LOG_LOC=/var/log/tvheadend/error.log
# modify the startup script so that it will log errors
sed -i "s~^TVH_ARGS=\"~TVH_ARGS=\"-l ${TVHEADEND_ERROR_LOG_LOC} ~" /etc/default/tvheadend
systemctl daemon-reload
service tvheadend restart
and it works, however I would like to set the loglevel somehow. As far as I know this is unsupported.
I set up the jail like this:
PORT_TVHEADEND=9981
TVHEADEND_FAILREGEX=".*ERROR.* http: <HOST>: HTTP/1.1 GET /login -- 401"
# Create the TVHeadend-filter for fail2ban
#nano /etc/fail2ban/filter.d/tvheadend.conf
cat > /etc/fail2ban/filter.d/tvheadend.conf <<EOF
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = tvheadend
failregex = ${TVHEADEND_FAILREGEX}
ignoreregex =
EOF
#nano /etc/fail2ban/jail.d/tvheadend.conf
cat > /etc/fail2ban/jail.d/tvheadend.conf <<EOF
[tvheadend]
enabled = true
port = $PORT_TVHEADEND
filter = tvheadend
action = iptables[name=tvheadend, port=$PORT_TVHEADEND, protocol=tcp]
logpath = $TVHEADEND_ERROR_LOG_LOC
maxretry = 5
EOF
service fail2ban restart
fail2ban-client status tvheadend
It seems the failregex is not correct:
failregex = .*ERROR.* http: <HOST>: HTTP/1.1 GET /login -- 401
Anyone here who knows their regexes?