Skip to content

Instantly share code, notes, and snippets.

@isarandi

isarandi/fail2ban.conf

Last active June 11, 2018 19:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save isarandi/a2f6bb25f5f30c6c1b8fcc014868e2b1 to your computer and use it in GitHub Desktop.
Save isarandi/a2f6bb25f5f30c6c1b8fcc014868e2b1 to your computer and use it in GitHub Desktop.
Download ZIP
syslog-ng parser for fail2ban's logfile (parsing for graylog)
Raw
fail2ban.conf
source s_fail2ban {
file("/var/log/fail2ban.log" follow-freq(10) flags(no-parse));
};
parser fail2ban-parser {
python(
class("Fail2BanParser")
options("regex", '(?P<timestamp>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}) (?P<PROGRAM>.+?)\.(?P<type>.+?) +\[(?P<PID>\d+)\]: (?P<level>.+?) +(?P<MSG>.+)')
);
};
log {
source(s_fail2ban);
parser(fail2ban-parser);
destination(d_syslog_tcp);
};
python {
import re
import dateutil.parser
import socket
class Fail2BanParser(object):
def init(self, options):
pattern = options["regex"]
self.regex = re.compile(pattern)
self.host = socket.gethostname()
return True
def deinit(self):
return True
def parse(self, log_message):
match = re.match(self.regex, log_message['MESSAGE'])
if match:
for key, value in match.groupdict().items():
log_message[key] = value
log_message['R_UNIXTIME'] = dateutil.parser.parse(log_message['timestamp']).strftime('%s')
log_message['HOST'] = self.host
return True
return False
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment