Hi, I have this rule: jail.conf: [app-user] enabled = true port = 443 filter = user-app logpath = /var/log/user-app.log findtime = 1200 bantime = 480 maxretry = 3 ------------------------------- filter.d: user-app.conf [Definition] failregex = Unknown User .* \(<HOST>:.*\) ignoreregex = ------------------------------- The content is logfile test /var/log/user-app.log: [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) ------------------------------- And when test it, not working: fail2ban-regex /var/log/user-app.log /etc/fail2ban/filter.d/user-app.conf Running tests ============= Use failregex filter file : user-app, basedir: /etc/fail2ban Use log file : user-app.conf Use encoding : UTF-8 Results ======= Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [6] {^LN-BEG}24hour:Minute:Second `- Lines: 6 lines, 0 ignored, 0 matched, 6 missed [processed in 0.02 sec] |- Missed line(s): | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) | [12:48:35.315] Server1: Unknown User 'test' (109.103.148.2) Whats wrong? Maybe the left timestamp? Thanks in advanced.