I have a fail2ban.log from which I want to grab specific fields, from ‘Ban’ strings. I can grab the data I need using regex one at the time, but I am not able to combine them. A typical ‘fail2ban’ log file has many strings. I’m interested in strings like these:

2012-05-02 14:47:40,515 fail2ban.actions: WARNING [ssh-iptables] Ban 84.xx.xx.242

xx = numbers (digits)

I want to grab: a) Date and Time, b) Ban (keyword), c) IP address

Here is my regex:

IP = (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

date & time = ^(\d{4}\W\d{2}\W\d{2}\s\d{2}\W\d{2}\W\d{2})

My problem here is, how can I combine these three together. I tried something like this:

^(?=^\d{4}\W\d{2}\W\d{2}\s\d{2}\W\d{2}\W\d{2})(?=\.*d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$)(?=^(?Ban).)*$).*$

but does not work as I would wanted too.

To give a clearer example, here is what I want:

greyjewel:FailMap atma$ cat fail2ban.log |grep Ban|awk -F " " '{print $1, $2, $7}'|tail -n 3
2012-05-02 14:47:40,515 84.51.18.242
2012-05-03 00:35:44,520 202.164.46.29
2012-05-03 17:55:03,725 203.92.42.6

Best Regards