NAME

Search::ESsearcher::Templates::sfail2ban - Provicdes support for fail2ban logs sucked down via beats.

VERSION

Version 0.0.2

LOGSTASH

This uses a logstash configuration like below.

input {
  beats {
    host => "10.10.10.10"
    port => 5044
    type => "beats"
  }
}

filter {
    if [fields][log] == "fail2ban" {
            grok {
                    match => {
                            "message" => "%{TIMESTAMP_ISO8601:timestamp} %{WORD:log_src}.%{WORD:src_action} *\[%{INT:fail2ban_digit}\]: %{LOGLEVEL:loglevel} *\[%{NOTSPACE:service}\] %{WORD:ban_status} %{IP:clientip}"
                    }
            }
            geoip {
                    source => "clientip"
            }
    }
}

output {
  if [type] == "beats" {
    elasticsearch {
      hosts => [ "127.0.0.1:9200" ]
    }
  }
}

For filebeats, it is assuming this sort of configuration.

- type: log
  paths:
    - /var/log/fail2ban.log
  fields:
     log: fail2ban

If you have type set different or are using a diffent field, you can change that via --field and --fieldv.

If you have fields.log set differently, you can set that via --field2 and --field2v.

Options

--host <host>

The machine beasts is running on feeding fail2ban info to logstash/ES.

--jail <jail>

The fail2ban jail name to query.

--country <country>

The 2 letter country code.

--region <state>

The state/province/etc to search for.

--postal <zipcode>

The postal code to search for.

--city <cide>

The city to search for.

--ip <ip>

The IP to search for.

--size <count>

The number of items to return.

--dgt <date>

Date greater than.

--dgte <date>

Date greater than or equal to.

--dlt <date>

Date less than.

--dlte <date>

Date less than or equal to.

--msg <message>

Messages to match.

--field <field>

The term field to use for matching them all.

--fieldv <fieldv>

The value of the term field to matching them all.

--field2 <field2>

The term field to use for what beats is setting.

--field2v <field2v>

The value to look for in the field beats is setting.

AND, OR, or NOT shortcut

, OR
+ AND
! NOT

A list seperated by any of those will be transformed

These may be used with program, facility, pid, or host.

example: --program postfix,spamd

results: postfix OR spamd

date

/^-/ appends "now" to it. So "-5m" becomes "now-5m".

/^u\:/ takes what is after ":" and uses Time::ParseDate to convert it to a unix time value.

Any thing not matching maching any of the above will just be passed on.

To install Search::ESsearcher, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Search::ESsearcher

CPAN shell

perl -MCPAN -e shell
install Search::ESsearcher

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)