Overview
Import Fail2Ban Logs on Logstash
NOTE! We assume that you already setup/configure ELK Stack.
- To Import Fail2Ban Logs on Logstash, We have to create configuration file.
# Create Fail2Ban Patterns
$ mkdir /etc/logstash/patterns
$ cat /etc/logstash/patterns/fail2ban
F2B_DATE %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[ ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})
F2B_ACTION (\w+)\.(?:\w+)(\s+)?\:
F2B_JAIL \[(?<jail>\w+\-?\w+?)\]
F2B_LEVEL (?<level>\w+)\s+# Create Logstash configuration file
$ vim /etc/logstash/conf.d/fail2ban.conf
input {
file {
type => "fail2ban"
start_position => "beginning"
path => [ "/var/log/fail2ban.log" ]
}
}
filter {
if [type] == "fail2ban" {
grok {
patterns_dir => "/etc/logstash/patterns"
match => [
"message", "%{F2B_DATE:date} %{F2B_ACTION} %{WORD:level} %{F2B_JAIL} %{WORD:action} %{IP:ip}",
"message", "%{F2B_DATE:date} %{F2B_ACTION} %{F2B_LEVEL} %{GREEDYDATA:msg}?"
]
}
geoip {
source => "ip"
}
}
}Fix Fail2Ban Logs Permission
- Let’s make Fail2Ban logs are readable by Logstash
# Temp Fix
$ chmod 644 /var/log/fail2ban.log
# Permeant Fix
$ cat /etc/logrotate.d/Fail2Ban
/var/log/fail2ban.log {
weekly
rotate 4
compress
delaycompress
missingok
postrotate
fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null
endscript
# If fail2ban runs as non-root it still needs to have write access
# to logfiles.
# create 644 fail2ban adm
create 644 root adm
}Restart Logstash Service
$ sudo service logstash restartConfigure Kibana
- Open http://192.168.0.1:5601/
-
Click on Settings > Objects > Import
- Import Dashboard/Visualizations
Let’s Monitor Fail2Ban Logs on Kibana
- Open http://192.168.0.1:5601/#/dashboard/Fail2Ban?_g=()
