A photo of Mitesh Shah

Mitesh Shah

Linux Enthusiast
System Administrator

Email Skype Github Twitter Resume Hire Me Keybase LinkedIn Stackoverflow


Overview

Import Fail2Ban Logs on Logstash

NOTE! We assume that you already setup/configure ELK Stack.

  • To Import Fail2Ban Logs on Logstash, We have to create configuration file.
# Create Fail2Ban Patterns
$ mkdir /etc/logstash/patterns
$ cat /etc/logstash/patterns/fail2ban
F2B_DATE %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[ ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})
F2B_ACTION (\w+)\.(?:\w+)(\s+)?\:
F2B_JAIL \[(?<jail>\w+\-?\w+?)\]
F2B_LEVEL (?<level>\w+)\s+
# Create Logstash configuration file
$ vim /etc/logstash/conf.d/fail2ban.conf
input {
  file {
    type => "fail2ban"
    start_position => "beginning"
    path => [ "/var/log/fail2ban.log" ]
  }
}

filter {
  if [type] == "fail2ban" {
    grok {
      patterns_dir => "/etc/logstash/patterns"
      match => [
        "message", "%{F2B_DATE:date} %{F2B_ACTION} %{WORD:level} %{F2B_JAIL} %{WORD:action} %{IP:ip}",
        "message", "%{F2B_DATE:date} %{F2B_ACTION} %{F2B_LEVEL} %{GREEDYDATA:msg}?"
      ]
    }

    geoip {
      source => "ip"
    }
  }
}

Fix Fail2Ban Logs Permission

  • Let’s make Fail2Ban logs are readable by Logstash
# Temp Fix
$ chmod 644 /var/log/fail2ban.log

# Permeant Fix
$ cat /etc/logrotate.d/Fail2Ban
/var/log/fail2ban.log {

    weekly
    rotate 4
    compress

    delaycompress
    missingok
    postrotate
	   fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null
    endscript

    # If fail2ban runs as non-root it still needs to have write access
    # to logfiles.
    # create 644 fail2ban adm
    create 644 root adm
}

Restart Logstash Service

$ sudo service logstash restart

Configure Kibana

  • Open http://192.168.0.1:5601/
  • Click on Settings > Objects > Import

  • Import Dashboard/Visualizations

Let’s Monitor Fail2Ban Logs on Kibana

  • Open http://192.168.0.1:5601/#/dashboard/Fail2Ban?_g=()

How to Monitor Fail2Ban Logs on ELK Stack





Post Navigation