A photo of Mitesh Shah

Mitesh Shah

Linux Enthusiast
System Administrator

Email Skype Github Twitter Google+ Resume Hire Me Keybase LinkedIn Stackoverflow


Overview

Import Fail2Ban Logs on Logstash

NOTE! We assume that you already setup/configure ELK Stack.

  • To Import Fail2Ban Logs on Logstash, We have to create configuration file.
# Create Fail2Ban Patterns
$ mkdir /etc/logstash/patterns
$ cat /etc/logstash/patterns/fail2ban
F2B_DATE %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[ ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})
F2B_ACTION (\w+)\.(?:\w+)(\s+)?\:
F2B_JAIL \[(?<jail>\w+\-?\w+?)\]
F2B_LEVEL (?<level>\w+)\s+
# Create Logstash configuration file
$ vim /etc/logstash/conf.d/fail2ban.conf
input {
  file {
    type => "fail2ban"
    start_position => "beginning"
    path => [ "/var/log/fail2ban.log" ]
  }
}

filter {
  if [type] == "fail2ban" {
    grok {
      patterns_dir => "/etc/logstash/patterns"
      match => [
        "message", "%{F2B_DATE:date} %{F2B_ACTION} %{WORD:level} %{F2B_JAIL} %{WORD:action} %{IP:ip}",
        "message", "%{F2B_DATE:date} %{F2B_ACTION} %{F2B_LEVEL} %{GREEDYDATA:msg}?"
      ]
    }

    geoip {
      source => "ip"
    }
  }
}

Fix Fail2Ban Logs Permission

  • Let’s make Fail2Ban logs are readable by Logstash
# Temp Fix
$ chmod 644 /var/log/fail2ban.log

# Permeant Fix
$ cat /etc/logrotate.d/Fail2Ban
/var/log/fail2ban.log {

    weekly
    rotate 4
    compress

    delaycompress
    missingok
    postrotate
	   fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null
    endscript

    # If fail2ban runs as non-root it still needs to have write access
    # to logfiles.
    # create 644 fail2ban adm
    create 644 root adm
}

Restart Logstash Service

$ sudo service logstash restart

Configure Kibana

  • Open http://192.168.0.1:5601/
  • Click on Settings > Objects > Import

  • Import Dashboard/Visualizations

Let’s Monitor Fail2Ban Logs on Kibana

  • Open http://192.168.0.1:5601/#/dashboard/Fail2Ban?_g=()

How to Monitor Fail2Ban Logs on ELK Stack





Post Navigation