Zane C. Bowers-Hadley

NAME

Search::ESsearcher::Templates::sfail2ban - Provicdes support for fail2ban logs sucked down via beats.

VERSION

Version 0.0.1

LOGSTASH

This uses a logstash configuration like below.

    input {
      beats {
        host => "10.10.10.10"
        port => 5044
        type => "beats"
      }
    }
    
    filter {
        if [fields][log] == "fail2ban" {
                grok {
                        match => {
                                "message" => "%{TIMESTAMP_ISO8601:timestamp} %{WORD:log_src}.%{WORD:src_action} *\[%{INT:fail2ban_digit}\]: %{LOGLEVEL:loglevel} *\[%{NOTSPACE:service}\] %{WORD:ban_status} %{IP:clientip}"
                        }
                }
                geoip {
                        source => "clientip"
                }
                mutate {
                        convert => [ "[geoip][coordinates]", "float" ]
                }
        }
    }
    
    output {
      if [type] == "beats" {
        elasticsearch {
          hosts => [ "127.0.0.1:9200" ]
        }
      }
    }

For filebeats, it is assuming this sort of configuration.

    - type: log
      paths:
        - /var/log/fail2ban.log
      fields:
         log: fail2ban

If you have type set different or are using a diffent field, you can change that via --field and --fieldv.

If you have fields.log set differently, you can set that via --field2 and --field2v.

Options

--host <host>

The machine beasts is running on feeding fail2ban info to logstash/ES.

--jail <jail>

The fail2ban jail name to query.

--country <country>

The 2 letter country code.

--region <state>

The state/province/etc to search for.

--postal <zipcode>

The postal code to search for.

--city <cide>

The city to search for.

--ip <ip>

The IP to search for.

--size <count>

The number of items to return.

--dgt <date>

Date greater than.

--dgte <date>

Date greater than or equal to.

--dlt <date>

Date less than.

--dlte <date>

Date less than or equal to.

--msg <message>

Messages to match.

--field <field>

The term field to use for matching them all.

--fieldv <fieldv>

The value of the term field to matching them all.

--field2 <field2>

The term field to use for what beats is setting.

--field2v <field2v>

The value to look for in the field beats is setting.

AND, OR, or NOT shortcut

    , OR
    + AND
    ! NOT

A list seperated by any of those will be transformed

These may be used with program, facility, pid, or host.

    example: --program postfix,spamd
    
    results: postfix OR spamd

date

date

/^-/ appends "now" to it. So "-5m" becomes "now-5m".

/^u\:/ takes what is after ":" and uses Time::ParseDate to convert it to a unix time value.

Any thing not matching maching any of the above will just be passed on.