Debian 12.1 (systemd journal is default)
fail2ban version 1.0.2

Trying to make fail2ban filter + jail work.
Shadowsocks authentication errors in logs match filter regex correctly. fail2ban is up, nothing unusual in logs. But "fail2ban-client status shadowsocks-libev" fails to reflect failures to authenticate (sshd jail does work correctly, though)

• Changes in jail.conf:

[DEFAULT]
backend = systemd

• Shadowsocks filter:

[INCLUDES]
before = common.conf

[Definition]
_daemon = ss-server
failregex = ^\w+\s+\d+ \d+:\d+:\d+\s+%(__prefix_line)sERROR:\s+failed to handshake with : authentication error$
ignoreregex =
datepattern = %%Y-%%m-%%d %%H:%%M:%%S
journalmatch = _SYSTEMD_UNIT=shadowsocks-libev.service

• Shadowsocks jail:

[shadowsocks-libev]
enabled = true
filter = shadowsocks-libev
port = 8839

maxretry = 3
findtime = 3600
bantime = 3600

What am I doing wrong?
Thanks!