One of the first things I wanted to do with my ELK stack (Elasticsearch, Logstash and Kibana) was import Fail2Ban logs. Here is how I made it happen on a Debian based system.
Setting up Logstash-forwarder
Unfortunately, the logs for fail2ban are set the local machine's time and don't include the timezone:
2015-02-08 09:28:52,438 fail2ban.actions: WARNING [ssh] Ban XX.XX.XX.XX
To get around this, when configuring logstash-forwarder (/etc/logstash-forwarder), make sure to include the correct timezone.
service logstash-forwarder reload
Setting up Logstash
Create a new configuration file for fail2ban in /etc/logstash/conf.d If your ELK server(s) are not located in the same timezone as the other servers, make sure to add which timezones you need. Aside: let me know if this possible using variables.
We are using some custom patterns so next, create the directory /etc/logstash/patterns and add the following.
service logstash force-reload
The Dashboard
Here is a Kibana dashboard config for fail2ban to get you started. Let me know on twitter if you have any issues.
