Enabling PHPMYADMIN Logging & Fail2ban Default Filter

I am on Debian 10.5 LAMP with ISPConfig, running PHPMYADMIN 4.9.0.1.

I installed phpmyadmin following this tutorial I can only guess that somehow ISPConfig may be interrupting something.

In any case, I am trying to setup the default phpmyadmin-syslog.conf filter for fail2ban to protect phpmyadmin.

Problem:
pma logging doesn't appear to work according to documentation.

I have tried 3 methods to enable logging:

in my /usr/share/phpmyadmin/config.inc.php i have added:

$cfg['AuthLog'] = 'auto';

Which should output failed login attempts to syslog or php according to docs
https://docs.phpmyadmin.net/en/latest/config.html

I tried
current setting
$cfg['AuthLog'] = 'syslog';

However, neither /var/log/auth.log , nor /var/log/syslog logged failed login attempts.

I also tried:
$cfg['AuthLog'] = '/var/log/phpmyadmin-auth.log';

and gave permissions to the log to www-data user using (note: unsure if this correct, pma is controluser)

#chown www-data:www-data /var/log/phpmyadmin-auth.log and
#chmod 755 /var/log/phpmyadmin-auth.log

My /etc/fail2ban/jail.local file contains:

[phpmyadmin-auth]
enabled = true
port = https,https
filter = phpmyadmin-syslog
logpath = /var/log/syslog
maxretry = 3

and the default /etc/fail2ban/filter.d/phpmyadmin-syslog.conf contains:

# Fail2Ban fitler for the phpMyAdmin-syslog
#
[INCLUDES]
before = common.conf

[Definition]
_daemon = phpMyAdmin
failregex = ^%(__prefix_line)suser denied: (?:\S+|.*?) \(mysql-denied\) from <HOST>\s*$
ignoreregex =
# Author: Pavel Mihadyuk
# Regex fixes: Serg G. Brester

(no useful tip for enabling the phpyadmin logging)

Anybody know what I am missing?

I am on Ubuntu 20.04.

I did not modify the phpmyadmin config file in any way (default from installation). In my config.inc.php I have...

$cfg['AuthLog'] = 'auto';

...and all my authentication errors go into /var/log/auth.log. So I am guessing that the manual is wrong in my case.

Whenever I try to login with a blank password I get :

Feb 13 23:42:42 hostname phpMyAdmin[516146]: user denied: sdasdas (empty-denied) from xxx.xxx.xxx.xxx

Whenever I try to login with a wrong username/password I get :

Feb 13 23:42:42 hostname phpMyAdmin[516146]: user denied: sdasdas (mysql-denied) from xxx.xxx.xxx.xxx

My filter is of course same as yours. You can see now why the filter is correct and will identify only the second case above. It will not care about empty passwords.

^%(__prefix_line)suser denied: (?:\S+|.*?) \(mysql-denied\) from <HOST>\s*$

Also your jail.local entry seems correct. Mine is:

[phpmyadmin-syslog]
enabled  = true
filter   = phpmyadmin-syslog
maxretry = 1
findtime = 30d
bantime = 600
bantime.rndtime = 100
bantime.increment = true
bantime.factor = 24
bantime.maxtime = 6w

You will notice that I did not even mention a log file in the jail. Fail2ban obviously knows where to look (I had logpath = /var/log/auth.log but I removed it and still works). As soon as I enter a wrong pair of credentials, I can see it detected by fail2ban with this command:

 sudo tail -f /var/log/fail2ban.log

Bear in mind that if you change fail2ban configuration, you do not have to restart fail2ban. You can just reload the config with this:

sudo service fail2ban reload