fail2ban logstash config & grok pattern

fail2ban.conf

input {
  file {
    path => "/var/log/fail2ban.log"
    type => "fail2ban"
  }
}

filter {
  if [type] == "fail2ban" {
    grok {
      patterns_dir => ["/etc/logstash/patterns"]
      match => [ "message", "%{FAIL2BAN_BAN}" ]
      add_tag => [ "ban" ]
      named_captures_only => true
    }
    grok {
      patterns_dir => [ "/etc/logstash/patterns" ]
      match => [ "message", "%{FAIL2BAN_UNBAN}" ]
      add_tag => [ "unban" ]
      named_captures_only => true
    }
    grok {
      patterns_dir => [ "/etc/logstash/patterns" ]
      match => [ "message", "%{FAIL2BAN_ALREADYBAN}" ]
      add_tag => [ "already_ban" ]
      named_captures_only => true
    }

    mutate {
      remove_tag => ["_grokparsefailure"]
    }
  }
}

fail2ban.grok

FAIL2BAN_BAN %{TIMESTAMP_ISO8601:timestamp} %{JAVACLASS:criteria}: %{LOGLEVEL:level} \[%{WORD:service}\] Ban %{IPV4:clientip}
FAIL2BAN_UNBAN %{TIMESTAMP_ISO8601:timestamp} %{JAVACLASS:criteria}: %{LOGLEVEL:level} \[%{WORD:service}\] Unban %{IPV4:clientip}
FAIL2BAN_ALREADYBAN %{TIMESTAMP_ISO8601:timestamp} %{JAVACLASS:criteria}: %{LOGLEVEL:level} \[%{WORD:service}\] %{IPV4:clientip} already banned