Filebeat for Fail2Ban via Logstash?

Dan_Kennedy · September 25, 2019, 11:07pm

Hi All, need a bit of advice.

I'm using Elasticsearch to collect and categorise logs from network devices. These are being sent to Logstash before being forwarded to Elasticsearch.

I want to forward some Linux server Fail2Ban logs via Filebeat but have a few questions;

Is is best to forward these to Logstash or direct to Elasticsearch?
In either case, how would I ensure logs are matched? I found the following for logstash, but the file is for local input, so i'm unsure what this what need to look like for filebeat input?

gist.github.com

https://gist.github.com/alexalouit/40d4b5b8f5c62bda6dad

fail2ban.conf

input {
  file {
    path => "/var/log/fail2ban.log"
    type => "fail2ban"
  }
}

filter {
  if [type] == "fail2ban" {
    grok {

This file has been truncated. show original

fail2ban.grok

FAIL2BAN_BAN %{TIMESTAMP_ISO8601:timestamp} %{JAVACLASS:criteria}: %{LOGLEVEL:level} \[%{WORD:service}\] Ban %{IPV4:clientip}
FAIL2BAN_UNBAN %{TIMESTAMP_ISO8601:timestamp} %{JAVACLASS:criteria}: %{LOGLEVEL:level} \[%{WORD:service}\] Unban %{IPV4:clientip}
FAIL2BAN_ALREADYBAN %{TIMESTAMP_ISO8601:timestamp} %{JAVACLASS:criteria}: %{LOGLEVEL:level} \[%{WORD:service}\] %{IPV4:clientip} already banned

Any help would be much appreciated

Thanks

system · October 23, 2019, 11:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.