Ok, so the purpose is to match log lines like these and have fail2ban action: 4f4ec31d-0a0e-4598-95af-3a973cf96244 2016-09-09 07:02:31.618593 [WARNING] switch_core_state_machine.c:646 4f4ec31d-0a0e-4598-95af-3a973cf96244 sofia/default/101@192.168.5.57:5060 Abandoned However, the first issue I ran into was this line does not actually have a string which can be used as a by fail2ban.. But there is a string which can be used a few lines earlier than this line in the log, so I opted to make a multi-line regex to match this block of log messages: 2016-09-09 07:02:21.578620 [WARNING] sofia_reg.c:1775 SIP auth challenge (INVITE) on sofia profile 'default' for [800970598652903@192.168.5.57] from ip 146.0.32.171 4f4ec31d-0a0e-4598-95af-3a973cf96244 2016-09-09 07:02:21.578620 [DEBUG] switch_core_state_machine.c:562 (sofia/default/101@192.168.5.57:5060) State NEW 2016-09-09 07:02:21.578620 [DEBUG] sofia.c:2214 detaching session 4f4ec31d-0a0e-4598-95af-3a973cf96244 4f4ec31d-0a0e-4598-95af-3a973cf96244 2016-09-09 07:02:31.618593 [WARNING] switch_core_state_machine.c:646 4f4ec31d-0a0e-4598-95af-3a973cf96244 sofia/default/101@192.168.5.57:5060 Abandoned Here is the regex I came up with(based on existing freeswitch fail2ban filter which was created when i installed mod_fail2ban). It would be awesome to verify/simplify and/or improve this regex: failregex = \.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^\']+\' for \[.*\] from ip .*\n.*\n.*\n.*\.\d+ \[WARNING\] switch_core_state_machine\.c\:\d+ .................................... sofia\/default\/\d+@\d+\.\d+\.\d+\.\d+\:\d+ Abandoned