How to make fail2ban play nice with rsyslog

Discussion in 'Server Operation' started by Ovidiu, Apr 11, 2016.

  1. Ovidiu

    Ovidiu Active Member

    both work on their own just fine and fail2ban happily logs to /var/log/fail2ban.log

    I would like to enable some log monitoring and I can only monitor the syslog file so I thought I could use this directive to make fail2ban log to syslog:
    logtarget = SYSLOG
    it works, fail2ban now logs to syslog but if I want to enable the recidive module of fail2ban I need to tell it which log file to monitor and I'd rather avoid monitoring syslog so I was looking to make rsyslog write to /var/log/fail2ban.log

    I tried these but none really works, it seems I cannot figure out the correct syntax, could someone help out?
    fail2ban.actions       -/var/log/fail2ban.log
    :msg, contains, "fail2ban.*" /var/log/fail2ban.log
    if $programname == 'fail2ban.*' then /var/log/fail2ban.log
    The first one definitely doesn't work, the other two seem to have problems with fail2ban.* - if I remove .* it works.
    Also, I need to log to fail2ban.log AND syslog

    Any pointers?
  2. Ovidiu

    Ovidiu Active Member

    Anyone familiar with rsyslog? What is wrong with this line:
    :msg, contains, "fail2ban\.*"   /var/log/fail2ban.log
    I tried inserting as the first rule to rule out that it was being overwritten but I can still see fail2ban lines inside syslog but not inside /var/log/fail2ban.log
  3. vcolombo

    vcolombo New Member

    I know this is an old thread, but I thought I'd post this in case it helps someone else in the future. This is the rsyslog filter I went with to send fail2ban messages to /var/log/fail2ban.log in addition to syslog:

    (colon)programname, startswith, "fail2ban" -/var/log/fail2ban.log

    Replace (colon) with : of course. I couldn't get this to post without replacing that with :p

Share This Page