Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. This integration allows you to send Fail2ban logs to your Logz.io SIEM account.
Guided configuration
Before you begin, you’ll need: Filebeat Fail2ban, root access
Download the Logz.io public certificate to your credentials server
For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.
sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Add Fail2ban as an input
In the Filebeat configuration file (/etc/filebeat/filebeat.yml), add Fail2ban to the filebeat.inputs section.
Replace <<LOG-SHIPPING-TOKEN>>
with the token of the account you want to ship to.
# ...
filebeat.inputs:
- type: log
paths:
- /var/log/fail2ban.log
fields:
logzio_codec: plain
# Your Logz.io account token. You can find your token at
# https://app.logz.io/#/dashboard/settings/manage-accounts
token: <<LOG-SHIPPING-TOKEN>>
type: fail2ban
fields_under_root: true
encoding: utf-8
ignore_older: 3h
If you’re running Filebeat 8.1+, the type
of the filebeat.inputs
is filestream
instead of logs
:
filebeat.inputs:
- type: filestream
paths:
- /var/log/*.log
If you’re running Filebeat 7, paste this code block. Otherwise, you can leave it out.
# ... For Filebeat 7 only ...
filebeat.registry.path: /var/lib/filebeat
processors:
- rename:
fields:
- from: "agent"
to: "filebeat_agent"
ignore_missing: true
- rename:
fields:
- from: "log.file.path"
to: "source"
ignore_missing: true
If you’re running Filebeat 6, paste this code block.
# ... For Filebeat 6 only ...
registry_file: /var/lib/filebeat/registry
Set Logz.io as the output
If Logz.io is not an output, add it now. Remove all other outputs.
Replace <<LISTENER-HOST>>
with the host for your region. For example, listener.logz.io
if your account is hosted on AWS US East, or listener-nl.logz.io
if hosted on Azure West Europe.
# ...
output.logstash:
hosts: ["<<LISTENER-HOST>>:5015"]
ssl:
certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
Start Filebeat
Start or restart Filebeat for the changes to take effect.
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Kibana.
If you still don’t see your logs, see log shipping troubleshooting.