Your failregex is not quite correct from what i can see and doesn’t match the ones for 8.x and 9.x provided at [1]. In oC 10.0 only the order of the entries changed [2], [3] so it should be easy to apply those changes to the failregex listed at [1] and just re-order the failregex to match the new syntax / order.
[1]
What: Configure fail2ban to watch the failed logins of your ownCloud instance
Source: Collected from: https://forum.owncloud.org/viewtopic.php?f=31&t=26336
Target: Tested on ownCloud 8.0.3, 8.1.0, 8.2.0 and 9.0.0 on Debian (Jessie)
How:
Create a file /etc/fail2ban/filter.d/owncloud.conf with the following content:
oC 8.2.0 + 9.0.0
[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}
ignorereg…
[2]
opened 09:25AM - 16 Mar 17 UTC
closed 02:53PM - 04 Apr 17 UTC
enhancement
junior job
status/STALE
This is a current log entry:
```
{"reqId":"Q71WK4Sp6B03QqpOoxit","remoteAddr":… "173.18.243.1","app":"core","message":"Generating preview for \"\/xxxx\/yyyy\/zzzz\/0000.txt\" with \"OC\\Preview\\TXT\"","level":0,"time":"2017-03-13T09:15:10-07:00","method":"GET","url":"\/index.php\/core\/preview.png?file=%2Fxxxx%2Fyyyyy%2Fzzzzz%2F0000.txt&c=589c9d17172bc&x=32&y=32&forceIcon=0","user":"mbs"}
```
The new log entry should look like the following:
```
{"reqId":"Q71WK4Sp6B03QqpOoxit","level":0,"time":"2017-03-13T09:15:10-07:00","remoteAddr":"173.18.243.1","user":"mbs","app":"core","method":"GET","url":"\/index.php\/core\/preview.png?file=%2Fxxxxx%2Fyyyyy%2Fzzzz%2F0000.txt&c=589c9d17172bc&x=32&y=32&forceIcon=0","message":"Generating preview for \"\/xxxxx\/yyyyy\/zzzz\/0000.txt\" with \"OC\\Preview\\TXT\""}
```
As an additional change, the reqId should replace the `/` to any other alphanumeric character ( @DeepDiver1975 @PVince81 , this extra change should be harmless)
#### Reasons for this change
* The reqId should have a fixed length, so the vision isn't shifted. Right now this isn't always happening due to `/` being escaped. The intention is that this char doesn't appear so we don't need to escape.
* Log level and time should already be fixed length, so we just need to move them to the beginning of the string. The reason is the same as the previous point.
* The next elements are the remoteAddr, user and app. The remoteAddr should be the first of the bunch because it's the more "stable": length should be between 11, 13, and 15 chars, but the length difference should be minimum. The user is usually associated with an ip (obviously not always true), so it's better to keep them side by side. Finally, the app is the last of the bunch because while we can't assume any length, but it shouldn't grow like crazy.
* The method and url should also be side by side, being the method the first because we can't assume anything about the url.
* The message should be always the last.
#### Important note
The format of each entry will still be generated using json. This can't be changed because there could be apps relying on this format.
[3]
Starting from ownCloud 10.0.0, the owncloud.log file will reorder the elements of each log entry in order to make the logs easier to read.
The reasons for this changes are explained in https://github.com/owncloud/core/issues/27397
As an example of how the logs looks like with the change, you can check the following logs:
{"reqId":"heXNVIiTLeSrcxje601b","level":2,"time":"2017-04-04T07:19:16+00:00","remoteAddr":"10.0.2.4","user":"--","app":"core","method":"POST","url":"\/index.php\/login",…