Fail2ban

Fail2ban

Ship your Fail2ban logs using Filebeat to your Logit.io Stack

Follow the steps below to send your observability data to Logit.io

Logs

Configure Fail2ban to ship logs via Filebeat to your Logit.io stacks via Logstash.

Install Integration

Please click on the Install Integration button to configure your stack for this source.

Install Filebeat

To get started you will need to install filebeat. To do this you have two main options:

  • Choose the AMD / Intel file (x86_64) or
  • Choose the ARM file (aarch64)

You can tell if you have a PC with an ARM CPU architecture by opening the Terminal application and running the arch command. If it displays arm64 you have ARM architecture.

To successfully install filebeat you will need to have root access.

If you have an x86_64 system download and install filebeat using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.15.2-amd64.deb
sudo dpkg -i filebeat-8.15.2-amd64.deb

If you have an aarch64 system download and install filebeat using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.15.2-arm64.deb
sudo dpkg -i filebeat-8.15.2-arm64.deb

The default configuration file is located at:
/etc/filebeat/filebeat.yml

Configure Filebeat.yml

The configuration file below is pre-configured to send data to your Logit.io Stack.

Copy the configuration file below and overwrite the contents of the Filebeat configuration file typically located at /etc/filebeat/filebeat.yml

filebeat.yml
####################### Logit.io Filebeat Configuration #########################
# ============================== Filebeat inputs ===============================
filebeat.inputs:
- type: filestream
  enabled: true
  paths:
  - "/var/log/fail2ban.log"
  
  fields:
    type: "fail2ban"
  fields_under_root: true
  encoding: utf-8
  ignore_older: 12h
 
# ================================== Outputs ===================================
output.logstash:
  hosts: ["@logstash.host:@logstash.sslPort"]
  loadbalance: true
  ssl.enabled: true

Validate Configuration

sudo @beatname test config -c /etc/@beatname/@beatname.yml

If the yml file is invalid, @beatname will print a description of the error. For example, if the output.logstash section was missing, @beatname would print no outputs are defined, please define one under the output section

Start Filebeat

To start Filebeat, run:

sudo systemctl start filebeat

Launch OpenSearch Dashboards to View Your Data

Launch OpenSearch Dashboards

How to diagnose no data in Stack

If you don't see data appearing in your stack after following this integration, take a look at the troubleshooting guide for steps to diagnose and resolve the problem or contact our support team and we'll be happy to assist.

Metrics

Configure Telegraf to ship Fail2ban metrics to your Logit.io stacks.

Install Integration

Please click on the Install Integration button to configure your stack for this source.

Install Telegraf

This integration allows you to configure a Telegraf agent to send your metrics to Logit.io.

Choose the installation method for your operating system:

Debian and Ubuntu users can install the latest stable version of Telegraf using the apt package manager.

The command line below will:

  • Download and install repository signing key
  • Configure the influxdata repository
  • Install telegraf
curl --silent --location -O \
https://repos.influxdata.com/influxdata-archive.key \
&& echo "943666881a1b8d9b849b74caebf02d3465d6beb716510d86a39f6c8e8dac7515  influxdata-archive.key" \
| sha256sum -c - && cat influxdata-archive.key \
| gpg --dearmor \
| sudo tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg > /dev/null \
&& echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive.gpg] https://repos.influxdata.com/debian stable main' \
| sudo tee /etc/apt/sources.list.d/influxdata.list
sudo apt-get update && sudo apt-get install telegraf

The default configuration file is location at:
/etc/telegraf/telegraf.conf

Configure Telegraf

The configuration file below is pre-configured to scrape the system metrics from your hosts, add the following code to the configuration file telegraf.conf from the previous step.

telegraf.conf
### Read metrics from fail2ban.
[[inputs.fail2ban]]
  ## Use sudo to run fail2ban-client
  use_sudo = false
 
### System metrics
[[inputs.disk]]
[[inputs.net]]
[[inputs.mem]]
[[inputs.system]]
[[inputs.cpu]]
  percpu = false
  totalcpu = true
  collect_cpu_time = true
  report_active = true
 
### Output
[[outputs.http]]
  url = "https://@metricsUsername:@metricsPassword@@metrics_id-vm.logit.io:@vmAgentPort/api/v1/write"
  data_format = "prometheusremotewrite"
 
  [outputs.http.headers]
    Content-Type = "application/x-protobuf"
    Content-Encoding = "snappy"

Read more about how to configure data scraping and configuration options for Fail2ban (opens in a new tab)

Start Telegraf

For systemd installations use systemctl to start telegraf

sudo systemctl start telegraf

Launch Grafana to View Your Data

Launch Grafana

How to diagnose no data in Stack

If you don't see data appearing in your stack after following this integration, take a look at the troubleshooting guide for steps to diagnose and resolve the problem or contact our support team and we'll be happy to assist.

Fail2ban Overview

Fail2ban is an open-source security monitoring solution that provides real-time threat detection, integrity monitoring, and compliance management capabilities. To effectively monitor and analyze security events, it's crucial to have a reliable and efficient log management solution. Fail2ban leverages the Elastic Stack, including Elasticsearch, Logstash, and OpenSearch, to provide a centralized platform for collecting, processing, and visualizing security-related data.

Organizations can use Filebeat, an open-source log shipper, to send data from Fail2ban to Logstash for processing and analysis. By configuring Filebeat to monitor the Fail2ban logs directory, any new logs can be automatically sent to Logstash, where they can be processed and analyzed in real-time for threat detection and response.

Filebeat ensures that logs are securely transferred to Logstash, where they can be filtered, transformed, and enhanced using various plugins and modules. Logstash can also perform correlation and analysis on the data to identify patterns and anomalies that may indicate security threats.

Using Fail2ban with Filebeat and Logstash provides organizations with a powerful security monitoring solution that can detect and respond to security incidents in real-time, while also maintaining compliance with industry regulations and standards. By leveraging Logit.io, organizations can collect and analyze data from various sources, gain valuable insights into their security posture, and make informed decisions to improve their overall security stance.

If you need any further assistance with migrating your log data to OpenSearch we're here to help you get started. Feel free to get in contact with our support team by sending us a message via live chat and we'll be happy to assist.