telegraf/plugins/inputs/fail2ban

Fail2ban Input Plugin

The fail2ban plugin gathers the count of failed and banned ip addresses using fail2ban.

This plugin runs the fail2ban-client command which generally requires root access. Acquiring the required permissions can be done using several methods:

• Use sudo run fail2ban-client.
• Run telegraf as root. (not recommended)

Configuration

# Read metrics from fail2ban.
[[inputs.fail2ban]]
  ## Use sudo to run fail2ban-client
  use_sudo = false

Using sudo

Make sure to set use_sudo = true in your configuration file.

You will also need to update your sudoers file. It is recommended to modify a file in the /etc/sudoers.d directory using visudo:

$ sudo visudo -f /etc/sudoers.d/telegraf

Add the following lines to the file, these commands allow the telegraf user to call fail2ban-client without needing to provide a password and disables logging of the call in the auth.log. Consult man 8 visudo and man 5 sudoers for details.

Cmnd_Alias FAIL2BAN = /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status *
telegraf  ALL=(root) NOEXEC: NOPASSWD: FAIL2BAN
Defaults!FAIL2BAN !logfile, !syslog, !pam_session

Metrics

• fail2ban
  • tags:
    • jail
  • fields:
    • failed (integer, count)
    • banned (integer, count)

Example Output

# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 5
|  |- Total failed:     20
|  `- File list:        /var/log/secure
`- Actions
   |- Currently banned: 2
   |- Total banned:     10
   `- Banned IP list:   192.168.0.1 192.168.0.2

fail2ban,jail=sshd failed=5i,banned=2i 1495868667000000000