LinuxQuestions.org - Disabling syslog compression

Hi,

I´m installing fail2ban to improve the security of a home asterisk server which from time to time becomes the target of some sip account cracker and/or ssh brute force attack.
For those not familiar with fail2ban, this utility monitors log files to find matches with user specified expressions to identify the presence of a brute force attack. Then configures iptables rules to block the offending IP.
Here´s an example:

Code:

NOTICE[1734] chan_sip.c: Registration from '"613"<sip:613@xx.xxxx.xxx.xxx>' failed for 'yyy.yyy.yyyy.yyy' - No matching peer found

[Sep 16 01:13:01

NOTICE[1734] chan_sip.c: Registration from '"614"<sip:614@xxx.xxx.xxx.xxx>' failed for 'yyy.yyy.yyy.yyy' - No matching peer found

[Sep 16 01:13:01]

NOTICE[1734] chan_sip.c: Registration from '"615"<sip:615@xxx.xxx.xxx.xxx>' failed for 'yyy.yyy.yyy.yyy' - No matching peer found

This works fine, the problem is that syslog uses a form of compression as in the following example:

Code:

Dec  1 13:49:06 myserver sshd[12138]: Failed password for myuser from 192.168.x.y port 46112 ssh2

Dec  1 13:49:07 myserver last message repeated 2 times

Dec  1 13:49:10 myserver sshd[12142]: Failed password for myuser from 192.168.x.y port 46113 ssh2

Dec  1 13:49:11 myserver last message repeated 2 times

In the second case, fail2ban would count 2 errors (lines 1 and 3 match the expression) when there are 6 failures.
I´ve been searching for some syslogd configuration to turn off this behavior but with no luck.
My system is running Slackware 13.0 with standard 2.6.29-smp kernel.
Thanks in advance.

Gustavo
Patagonia
Argentina