telegraf/plugins/inputs/fail2ban/README.md

# Fail2ban Input Plugin

The fail2ban plugin gathers the count of failed and banned ip addresses using
[fail2ban](https://www.fail2ban.org).

This plugin runs the `fail2ban-client` command which generally requires root access.
Acquiring the required permissions can be done using several methods:

- [Use sudo](#using-sudo) run fail2ban-client.
- Run telegraf as root. (not recommended)

### Configuration

```toml
# Read metrics from fail2ban.
[[inputs.fail2ban]]
  ## Use sudo to run fail2ban-client
  use_sudo = false
```

### Using sudo

Make sure to set `use_sudo = true` in your configuration file.

You will also need to update your sudoers file.  It is recommended to modify a
file in the `/etc/sudoers.d` directory using `visudo`:

```bash
$ sudo visudo -f /etc/sudoers.d/telegraf
```

Add the following lines to the file, these commands allow the `telegraf` user
to call `fail2ban-client` without needing to provide a password and disables
logging of the call in the auth.log.  Consult `man 8 visudo` and `man 5
sudoers` for details.
```
Cmnd_Alias FAIL2BAN = /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status *
telegraf  ALL=(root) NOEXEC: NOPASSWD: FAIL2BAN
Defaults!FAIL2BAN !logfile, !syslog, !pam_session
```

### Metrics

- fail2ban
  - tags:
    - jail
  - fields:
    - failed (integer, count)
    - banned (integer, count)

### Example Output

```
# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 5
|  |- Total failed:     20
|  `- File list:        /var/log/secure
`- Actions
   |- Currently banned: 2
   |- Total banned:     10
   `- Banned IP list:   192.168.0.1 192.168.0.2
```

```
fail2ban,jail=sshd failed=5i,banned=2i 1495868667000000000
```