Skip to content

Instantly share code, notes, and snippets.

@alexalouit
Created August 10, 2015 13:30
Show Gist options
  • Save alexalouit/40d4b5b8f5c62bda6dad to your computer and use it in GitHub Desktop.
Save alexalouit/40d4b5b8f5c62bda6dad to your computer and use it in GitHub Desktop.
fail2ban logstash config & grok pattern
input {
file {
path => "/var/log/fail2ban.log"
type => "fail2ban"
}
}
filter {
if [type] == "fail2ban" {
grok {
patterns_dir => ["/etc/logstash/patterns"]
match => [ "message", "%{FAIL2BAN_BAN}" ]
add_tag => [ "ban" ]
named_captures_only => true
}
grok {
patterns_dir => [ "/etc/logstash/patterns" ]
match => [ "message", "%{FAIL2BAN_UNBAN}" ]
add_tag => [ "unban" ]
named_captures_only => true
}
grok {
patterns_dir => [ "/etc/logstash/patterns" ]
match => [ "message", "%{FAIL2BAN_ALREADYBAN}" ]
add_tag => [ "already_ban" ]
named_captures_only => true
}
mutate {
remove_tag => ["_grokparsefailure"]
}
}
}
FAIL2BAN_BAN %{TIMESTAMP_ISO8601:timestamp} %{JAVACLASS:criteria}: %{LOGLEVEL:level} \[%{WORD:service}\] Ban %{IPV4:clientip}
FAIL2BAN_UNBAN %{TIMESTAMP_ISO8601:timestamp} %{JAVACLASS:criteria}: %{LOGLEVEL:level} \[%{WORD:service}\] Unban %{IPV4:clientip}
FAIL2BAN_ALREADYBAN %{TIMESTAMP_ISO8601:timestamp} %{JAVACLASS:criteria}: %{LOGLEVEL:level} \[%{WORD:service}\] %{IPV4:clientip} already banned
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment