It seems Fail2ban undercounts entries from syslog files such as /var/log/syslog and /var/log/auth.log, since it doesn't seem to be aware that syslog may log "last message repeated N times" instead of the full message. For example, if an ssh attack occurs several times in quick succession, there may be only one entry "Failed password for someuser from 1.2.3.4 port 4307 ssh2" followed by "last message repeated 10 times". It should be possible to set a regex that matches these kinds of log entries, and forces the log filter to treat them as if they were N of the previous log entry.<br>
 
It seems Fail2ban undercounts entries from syslog files such as /var/log/syslog and /var/log/auth.log, since it doesn't seem to be aware that syslog may log "last message repeated N times" instead of the full message. For example, if an ssh attack occurs several times in quick succession, there may be only one entry "Failed password for someuser from 1.2.3.4 port 4307 ssh2" followed by "last message repeated 10 times". It should be possible to set a regex that matches these kinds of log entries, and forces the log filter to treat them as if they were N of the previous log entry.<br>
   Exception encountered, of type "Error"