Fail2ban
Ship your Fail2ban logs using Filebeat to your Logit.io Stack
Follow the steps below to send your observability data to Logit.io
Logs
Configure Fail2ban to ship logs via Filebeat to your Logit.io stacks via Logstash.
Install Integration
Install Filebeat
To get started you will need to install filebeat. To do this you have two main options:
- Choose the AMD / Intel file (x86_64) or
- Choose the ARM file (aarch64)
You can tell if you have a PC with an ARM CPU architecture by opening the Terminal
application and running the arch
command. If it displays arm64 you have ARM architecture.
To successfully install filebeat you will need to have root access.
If you have an x86_64 system download and install filebeat using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.15.2-amd64.deb
sudo dpkg -i filebeat-8.15.2-amd64.deb
If you have an aarch64 system download and install filebeat using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.15.2-arm64.deb
sudo dpkg -i filebeat-8.15.2-arm64.deb
The default configuration file is located at:
/etc/filebeat/filebeat.yml
Configure Filebeat.yml
The configuration file below is pre-configured to send data to your Logit.io Stack.
Copy the configuration file below and overwrite the contents of the Filebeat
configuration file typically located at /etc/filebeat/filebeat.yml
####################### Logit.io Filebeat Configuration #########################
# ============================== Filebeat inputs ===============================
filebeat.inputs:
- type: filestream
enabled: true
paths:
- "/var/log/fail2ban.log"
fields:
type: "fail2ban"
fields_under_root: true
encoding: utf-8
ignore_older: 12h
# ================================== Outputs ===================================
output.logstash:
hosts: ["@logstash.host:@logstash.sslPort"]
loadbalance: true
ssl.enabled: true
Validate Configuration
sudo @beatname test config -c /etc/@beatname/@beatname.yml
If the yml file is invalid, @beatname will print a description of the error. For example, if the
output.logstash
section was missing, @beatname would print no outputs are defined, please define one under the output section
Start Filebeat
To start Filebeat, run:
sudo systemctl start filebeat
Launch OpenSearch Dashboards to View Your Data
Launch OpenSearch DashboardsHow to diagnose no data in Stack
If you don't see data appearing in your stack after following this integration, take a look at the troubleshooting guide for steps to diagnose and resolve the problem or contact our support team and we'll be happy to assist.
Metrics
Configure Telegraf to ship Fail2ban metrics to your Logit.io stacks.
Install Integration
Install Telegraf
This integration allows you to configure a Telegraf agent to send your metrics to Logit.io.
Choose the installation method for your operating system:
Debian and Ubuntu users can install the latest stable version of Telegraf using the apt package manager.
The command line below will:
- Download and install repository signing key
- Configure the influxdata repository
- Install telegraf
curl --silent --location -O \
https://repos.influxdata.com/influxdata-archive.key \
&& echo "943666881a1b8d9b849b74caebf02d3465d6beb716510d86a39f6c8e8dac7515 influxdata-archive.key" \
| sha256sum -c - && cat influxdata-archive.key \
| gpg --dearmor \
| sudo tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg > /dev/null \
&& echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive.gpg] https://repos.influxdata.com/debian stable main' \
| sudo tee /etc/apt/sources.list.d/influxdata.list
sudo apt-get update && sudo apt-get install telegraf
The default configuration file is location at:
/etc/telegraf/telegraf.conf
Configure Telegraf
The configuration file below is pre-configured to scrape the system metrics from your hosts, add the following code to the configuration file telegraf.conf
from the previous step.
### Read metrics from fail2ban.
[[inputs.fail2ban]]
## Use sudo to run fail2ban-client
use_sudo = false
### System metrics
[[inputs.disk]]
[[inputs.net]]
[[inputs.mem]]
[[inputs.system]]
[[inputs.cpu]]
percpu = false
totalcpu = true
collect_cpu_time = true
report_active = true
### Output
[[outputs.http]]
url = "https://@metricsUsername:@metricsPassword@@metrics_id-vm.logit.io:@vmAgentPort/api/v1/write"
data_format = "prometheusremotewrite"
[outputs.http.headers]
Content-Type = "application/x-protobuf"
Content-Encoding = "snappy"
Read more about how to configure data scraping and configuration options for Fail2ban (opens in a new tab)
Start Telegraf
For systemd installations use systemctl to start telegraf
sudo systemctl start telegraf
Launch Grafana to View Your Data
Launch GrafanaHow to diagnose no data in Stack
If you don't see data appearing in your stack after following this integration, take a look at the troubleshooting guide for steps to diagnose and resolve the problem or contact our support team and we'll be happy to assist.
Fail2ban Overview
Fail2ban is an open-source security monitoring solution that provides real-time threat detection, integrity monitoring, and compliance management capabilities. To effectively monitor and analyze security events, it's crucial to have a reliable and efficient log management solution. Fail2ban leverages the Elastic Stack, including Elasticsearch, Logstash, and OpenSearch, to provide a centralized platform for collecting, processing, and visualizing security-related data.
Organizations can use Filebeat, an open-source log shipper, to send data from Fail2ban to Logstash for processing and analysis. By configuring Filebeat to monitor the Fail2ban logs directory, any new logs can be automatically sent to Logstash, where they can be processed and analyzed in real-time for threat detection and response.
Filebeat ensures that logs are securely transferred to Logstash, where they can be filtered, transformed, and enhanced using various plugins and modules. Logstash can also perform correlation and analysis on the data to identify patterns and anomalies that may indicate security threats.
Using Fail2ban with Filebeat and Logstash provides organizations with a powerful security monitoring solution that can detect and respond to security incidents in real-time, while also maintaining compliance with industry regulations and standards. By leveraging Logit.io, organizations can collect and analyze data from various sources, gain valuable insights into their security posture, and make informed decisions to improve their overall security stance.
If you need any further assistance with migrating your log data to OpenSearch we're here to help you get started. Feel free to get in contact with our support team by sending us a message via live chat and we'll be happy to assist.