# Eventlog filling with fail2ban jail component logs since latest stable update

Version 1.50 - Mon Apr 01 2019 05:44:01 GMT+0200
Web Server nginx/1.14.2
PHP 7.3.3-1
RRDtool 1.6.0
• The output of `./validate.php`
All ok (console and web)

• Log entries repeating every 5 Minutes on localhost

Timestamp Type Message User
2019-04-02 17:00:13 component Component: (2). Attribute: jails, was modified from: , to: [“sasl”,“ip-blacklist”,“dovecot”,“sshd”,“postfix”] System
2019-04-02 16:55:10 component Component: (2). Attribute: jails, was modified from: , to: [“sshd”,“postfix”,“ip-blacklist”,“dovecot”,“sasl”] System
2019-04-02 16:50:10 component Component: (2). Attribute: jails, was modified from: , to: [“postfix”,“dovecot”,“ip-blacklist”,“sasl”,“sshd”]
• Other than that the data itself seems to be ok:

• This behavior started (see first occurrence below), I assume with the update to 1.50:
Timestamp Type Message User
2019-04-02 00:35:10 component Component: (2). Attribute: jails, was modified from: , to: [“ip-blacklist”,“sshd”,“dovecot”,“sasl”,“postfix”] System
2019-04-02 00:25:09 component Component: (2). Attribute: jails, was modified from: , to: [“ip-blacklist”,“postfix”,“sshd”,“sasl”,“dovecot”] System
2019-04-02 00:20:11 component Component 2 has been modified: label => Fail2ban Jails System
2019-04-02 00:20:11 component Component: (2). Attribute: jails, was added with value: [“postfix”,“ip-blacklist”,“sshd”,“sasl”,“dovecot”]

I hope someone can help me keeping my logs clean again. Everything else works perfectly.

Unfortunately it just added more information, but the lines still occur every 5 minutes. (I squeezed in some manual polls below, in case you’re wondering about the timestamps). Since it always says “modified from:” (empty) “, to:” (something) is it possible it cannot save some information to the data base?

Timestamp Type Message User
2019-04-02 23:42:24 component Component: (2). Attribute: jails, was modified from: , to: {“2”:“dovecot”,“3”:“ip-blacklist”,“1”:“postfix”,“4”:“sasl”,“0”:“sshd”} System
2019-04-02 23:40:10 component Component: (2). Attribute: jails, was modified from: , to: {“0”:“dovecot”,“3”:“ip-blacklist”,“1”:“postfix”,“4”:“sasl”,“2”:“sshd”} System
2019-04-02 23:38:00 component Component: (2). Attribute: jails, was modified from: , to: {“1”:“dovecot”,“2”:“ip-blacklist”,“0”:“postfix”,“3”:“sasl”,“4”:“sshd”} System
2019-04-02 23:30:12 component Component: (2). Attribute: jails, was modified from: , to: [“postfix”,“sasl”,“dovecot”,“sshd”,“ip-blacklist”] System
2019-04-02 23:25:10 component Component: (2). Attribute: jails, was modified from: , to: [“postfix”,“sshd”,“ip-blacklist”,“sasl”,“dovecot”] System

Silly, that sort function preserves the keys… I’ll use a different one.

I tried the following workaround which looks good at the moment (no event logs but data is updated):

``````\$tempArray = array_keys(\$f2b['jails']);
asort(\$tempArray));
\$fsbc[\$id]['jails'] = json_encode(array_values(\$tempArray));
``````

If there are two or more identical elements the sorting is undefined, which wouldn’t be worse than what we have now. So I skipped the return value check.

That’s exactly was I was going to do

this raises my confidence to put in a pull request next time i find something.

The validate tells me now that “this could prevent automatic updates”. Would it actually prevent it? And what could I do not to run into problems on the next stable update?

@efelon you need to remove the code modifications before the next release. (If you forget to it can be fixed but might be more of a mess).

Uh, ok. Since the releases are automatic, and I don’t know the exact time, it will be difficult. They are done in the daily cron script, am I right?! Not calling this at all wouldn’t be the best idea I assume. Do you have any advice?

Last Sunday of every month… You can see the scheduled date on github too.

I still get the error with 1.51. What I need to do is adding only the array_values():

``````/opt/librenms/includes/polling/applications# diff fail2ban.inc.php fail2ban.inc.php.ori
97c97
<     \$f2bc[\$id]['jails'] = json_encode(array_values(\$jails));
---
>     \$f2bc[\$id]['jails'] = json_encode(\$jails);``````

Pull request for this solution: