Customize fail2ban Log Message

[paulsen-it]

Environment:

• Fail2Ban version (including any possible distribution suffixes):
• OS, including release name/version:
• [x] Fail2Ban installed via OS/distribution mechanisms
• [x] You have not applied any additional foreign patches to the codebase
• [x] Some customizations were done to the configuration (provide details below is so)

The issue:

fail2ban logs bans with this message:

2019-04-02 15:27:42,318 fail2ban.actions: WARNING [apache] Ban 44.110.20.110 It is possible to add the log-file at the end of this message. So I can see in which log-File the ban is happend.

2019-04-02 15:27:42,318 fail2ban.actions: WARNING [apache] Ban 44.110.20.110 /var/log/apache2/error.log

Because I work with wildcards so there are many log-files /var/log/sites/*/log/error.log and I cannot see which log-file will be found from fail2ban.

[CreativeWolf]

This will be an awesome addition indeed to analyze site-wise bans.

[sebres]

The log-file from where the failures are coming is not a part of API in the moment (neither it is referenced in the ticket, nor I'm convinced it should be really done for several reasons).

So grep --files-with-matches -wF $ip /log/path/mask remains your friend yet.

[CreativeWolf]

Heya @sebres appreciate your response.

I understand it's not part of the API at the moment. The use case I'm looking at is, to feed fail2ban log to ELK and be able to monitor, visualize site wise data on bans. Are you suggesting, to get the banned IP addresses from the fail2ban log and then grep through the web server logs?

Purely for learning and understanding, what are your reasons that you think aren't convincing you?

Thanks!

[sebres]

get the banned IP addresses from the fail2ban log

Why if there is a fail2ban database, where this info (with many other) is available via SQL?