Setting up Logstash-forwarder
Unfortunately, the logs for
fail2ban are set the local machine's time and don't include the timezone:
2015-02-08 09:28:52,438 fail2ban.actions: WARNING [ssh] Ban XX.XX.XX.XX
To get around this, when configuring logstash-forwarder (
/etc/logstash-forwarder), make sure to include the correct timezone.
service logstash-forwarder reload
Setting up Logstash
Create a new configuration file for fail2ban in
/etc/logstash/conf.d If your ELK server(s) are not located in the same timezone as the other servers, make sure to add which timezones you need. Aside: let me know if this possible using variables.
We are using some custom patterns so next, create the directory
/etc/logstash/patterns and add the following.
service logstash force-reload
Here is a Kibana dashboard config for fail2ban to get you started. Let me know on twitter if you have any issues.