Setting Up Fail2Ban With ELK

One of the first things I wanted to do with my ELK stack (Elasticsearch, Logstash and Kibana) was import Fail2Ban logs. Here is how I made it happen on a Debian based system.

Setting up Logstash-forwarder

Unfortunately, the logs for fail2ban are set the local machine's time and don't include the timezone:

2015-02-08 09:28:52,438 fail2ban.actions: WARNING [ssh] Ban XX.XX.XX.XX

To get around this, when configuring logstash-forwarder (/etc/logstash-forwarder), make sure to include the correct timezone.

service logstash-forwarder reload

Setting up Logstash

Create a new configuration file for fail2ban in /etc/logstash/conf.d If your ELK server(s) are not located in the same timezone as the other servers, make sure to add which timezones you need. Aside: let me know if this possible using variables.

We are using some custom patterns so next, create the directory /etc/logstash/patterns and add the following.

service logstash force-reload

The Dashboard

Here is a Kibana dashboard config for fail2ban to get you started. Let me know on twitter if you have any issues.