Search::ESsearcher::Templates::sfail2ban - Provicdes support for fail2ban logs sucked down via beats.
Version 0.0.1
This uses a logstash configuration like below.
input { beats { host => "10.10.10.10" port => 5044 type => "beats" } } filter { if [fields][log] == "fail2ban" { grok { match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{WORD:log_src}.%{WORD:src_action} *\[%{INT:fail2ban_digit}\]: %{LOGLEVEL:loglevel} *\[%{NOTSPACE:service}\] %{WORD:ban_status} %{IP:clientip}" } } geoip { source => "clientip" } mutate { convert => [ "[geoip][coordinates]", "float" ] } } } output { if [type] == "beats" { elasticsearch { hosts => [ "127.0.0.1:9200" ] } } }
For filebeats, it is assuming this sort of configuration.
- type: log paths: - /var/log/fail2ban.log fields: log: fail2ban
If you have type set different or are using a diffent field, you can change that via --field and --fieldv.
If you have fields.log set differently, you can set that via --field2 and --field2v.
The machine beasts is running on feeding fail2ban info to logstash/ES.
The fail2ban jail name to query.
The 2 letter country code.
The state/province/etc to search for.
The postal code to search for.
The city to search for.
The IP to search for.
The number of items to return.
Date greater than.
Date greater than or equal to.
Date less than.
Date less than or equal to.
Messages to match.
The term field to use for matching them all.
The value of the term field to matching them all.
The term field to use for what beats is setting.
The value to look for in the field beats is setting.
, OR + AND ! NOT
A list seperated by any of those will be transformed
These may be used with program, facility, pid, or host.
example: --program postfix,spamd results: postfix OR spamd
date
/^-/ appends "now" to it. So "-5m" becomes "now-5m".
/^u\:/ takes what is after ":" and uses Time::ParseDate to convert it to a unix time value.
Any thing not matching maching any of the above will just be passed on.
To install Search::ESsearcher, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Search::ESsearcher
CPAN shell
perl -MCPAN -e shell install Search::ESsearcher
For more information on module installation, please visit the detailed CPAN module installation guide.