Filebeat for Fail2Ban via Logstash?

Dan_Kennedy · September 25, 2019, 11:07pm

Hi All, need a bit of advice.

I'm using Elasticsearch to collect and categorise logs from network devices. These are being sent to Logstash before being forwarded to Elasticsearch.

I want to forward some Linux server Fail2Ban logs via Filebeat but have a few questions;

Is is best to forward these to Logstash or direct to Elasticsearch?
In either case, how would I ensure logs are matched? I found the following for logstash, but the file is for local input, so i'm unsure what this what need to look like for filebeat input?

gist.github.com

https://gist.github.com/alexalouit/40d4b5b8f5c62bda6dad

fail2ban.conf

input {
  file {
    path => "/var/log/fail2ban.log"
    type => "fail2ban"
  }
}

filter {
  if [type] == "fail2ban" {
    grok {

This file has been truncated. show original

fail2ban.grok

FAIL2BAN_BAN %{TIMESTAMP_ISO8601:timestamp} %{JAVACLASS:criteria}: %{LOGLEVEL:level} \[%{WORD:service}\] Ban %{IPV4:clientip}
FAIL2BAN_UNBAN %{TIMESTAMP_ISO8601:timestamp} %{JAVACLASS:criteria}: %{LOGLEVEL:level} \[%{WORD:service}\] Unban %{IPV4:clientip}
FAIL2BAN_ALREADYBAN %{TIMESTAMP_ISO8601:timestamp} %{JAVACLASS:criteria}: %{LOGLEVEL:level} \[%{WORD:service}\] %{IPV4:clientip} already banned

Any help would be much appreciated

Thanks

system · October 23, 2019, 11:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Fail2ban module for Filebeat Beats beats-module , filebeat	2	1055	May 25, 2020
Logstash active exited using filebeat input Logstash	2	1872	July 6, 2017
Filebeat no connection could be made because the target machine actively refused it Logstash	10	1177	June 4, 2021
Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch Beats filebeat	3	442	March 31, 2024
Filebeat logs are not being send to logstash Beats filebeat	5	514	April 23, 2024

Filebeat for Fail2Ban via Logstash?

Related topics