Open HotBlack77 opened 9 years ago
Another option would be to just use logwatch, which is in a cron
/etc/cron.d/fail2ban-reports
# Security repors for Server
#MAILTO=root
# Weekly fail2ban reports - 01h01 Monday
1 01 * * 1 root /usr/sbin/logwatch --service fail2ban --detail low --range 'between -1 week and today'
# Monthly fail2ban reports - 01h05 1st of the Month
5 01 1 * * root /usr/sbin/logwatch --service fail2ban --detail low --range 'between -1 month and today'
# Yearly fail2ban reports - 01h10 1st day of the Year
10 01 1 01 * root /usr/sbin/logwatch --service fail2ban --detail low --range 'between -1 year and today'
Yes, but dont you feel that logwatch would be worthy of being a whole plugin of its own?
Logwatch's own plugin, that is a different discussion.
I like the idea of only getting fail2ban reports that are useful. Using logwatch just makes that easier for this use case.
You can change Action = actionmw to Action = action if you don't want email report. You can add your cron job now.
You needn't logwatch OVM plugin to use it, just use it. ;)
@prbond that's exactly what I do. I just thought others might like a simple way to do the same.
Here's a slightly adapted version. It:
logresolve
)grep "Ban " /var/log/fail2ban.log | grep $(date +%Y-%m-%d -d yesterday) | \
sed -e 's/Ban [0-9\.]*/Ban/' | sed -e 's/\( [0-2][0-9]\):[0-9]\{2\}:[0-9]\{2\},[0-9]\{3\}/\1h/' | \
/usr/bin/sort -n | /usr/bin/uniq -c | \
mail -s "Fail2Ban Summary $(date +%Y-%m-%d -d yesterday)" root
The default logging mechanism of Fail2Ban is quite noisy. It would be great is the plugin supported sending a daily summary instead of actions taken instead of an individual email for each action.
The script below does what I describe. I have never gotten round to understanding how to make a OMV plugin, but I imagine should be pretty easy to have the plugin add this as a cron job and then set Fail2Ban not send mails itself.