I followed 2 different guides and I still havent figure out where the issue is. I want to parse fail2ban logs and I tried the following two configurations unsuccessfully!
Pattern files that I tried
root@leeds:/etc/logstash/patterns# cat /etc/logstash/patterns/fail2ban
F2B_DATE %{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{HOUR}:?%{MINUTE}(?::?%{SECOND})
F2B_ACTION (\w+).(?:\w+)(\s+)?:
F2B_JAIL [(?\w+-?\w+?)]
F2B_LEVEL (?\w+)\s+
and
root@leeds:/etc/logstash/patterns# cat /tmp/fail2ban2
FAIL2BAN_BAN %{TIMESTAMP_ISO8601:timestamp} %{JAVACLASS:criteria}: %{LOGLEVEL:level} [%{WORD:service}] Ban %{IPV4:clientip}
FAIL2BAN_UNBAN %{TIMESTAMP_ISO8601:timestamp} %{JAVACLASS:criteria}: %{LOGLEVEL:level} [%{WORD:service}] Unban %{IPV4:clientip}
FAIL2BAN_ALREADYBAN %{TIMESTAMP_ISO8601:timestamp} %{JAVACLASS:criteria}: %{LOGLEVEL:level} [%{WORD:service}] %{IPV4:clientip} already banned
Logstash confs
file {
type => "fail2ban"
path => "/tmp/fail2ban.log"
start_position => "beginning"
document_type => fail2ban
}
filter {
if [type] == "fail2ban" {
grok {
patterns_dir => "/etc/logstash/patterns"
match => [
"message", "%{F2B_DATE:date} %{F2B_ACTION} %{WORD:level} %{F2B_JAIL} %{WORD:action} %{IP:ip}",
"message", "%{F2B_DATE:date} %{F2B_ACTION} %{F2B_LEVEL} %{GREEDYDATA:msg}?"
]
}
}
}
Output is fine so I am not listing it here
For the second pattern test the relevant part is here
if [type] == "fail2ban" {
grok {
patterns_dir => ["/etc/logstash/patterns"]
match => [ "message", "%{FAIL2BAN_BAN}" ]
}
}
The permissions of the /etc/logstash/pattern are set with chown to logstash user and the above filters lead to a grokparsefailure.
The log looks like this...
2016-01-26 05:12:20,778 fail2ban.server [1148]: INFO rollover performed on /var/log/fail2ban.log
2016-01-26 05:12:20,828 fail2ban.actions [1148]: NOTICE [bruteforce3] Ban 255.255.255.255
2016-01-26 05:12:21,048 fail2ban.actions [1148]: NOTICE [bruteforce3] Ban 255.255.255.255
2016-01-26 05:12:21,064 fail2ban.filter [1148]: INFO Log rotation detected for /var/log/fail2ban.log
2016-01-26 05:12:21,064 fail2ban.filter [1148]: INFO Log rotation detected for /var/log/fail2ban.log
2016-01-26 05:12:21,065 fail2ban.filter [1148]: INFO Log rotation detected for /var/log/fail2ban.log
2016-01-26 05:12:21,266 fail2ban.actions [1148]: NOTICE [bruteforce3] Ban 255.255.255.255
Any help?