dom

telegraf

History

Daniel Nelson 364bf38b4a Update fail2ban readme		2019-08-02 12:35:43 -07:00
..
README.md	Update fail2ban readme	2019-08-02 12:35:43 -07:00
fail2ban.go	Update fail2ban documentation	2017-08-25 11:42:07 -07:00
fail2ban_test.go	Add input plugin for Fail2ban (#2875 )	2017-06-21 12:42:13 -07:00

README.md

Fail2ban Input Plugin

The fail2ban plugin gathers the count of failed and banned ip addresses using fail2ban.

This plugin runs the fail2ban-client command which generally requires root access. Acquiring the required permissions can be done using several methods:

Use sudo run fail2ban-client.
Run telegraf as root. (not recommended)

Configuration

# Read metrics from fail2ban.
[[inputs.fail2ban]]
  ## Use sudo to run fail2ban-client
  use_sudo = false

Using sudo

Make sure to set use_sudo = true in your configuration file.

You will also need to update your sudoers file. It is recommended to modify a file in the /etc/sudoers.d directory using visudo:

$ sudo visudo -f /etc/sudoers.d/telegraf

Add the following lines to the file, these commands allow the telegraf user to call fail2ban-client without needing to provide a password and disables logging of the call in the auth.log. Consult man 8 visudo and man 5 sudoers for details.

Cmnd_Alias FAIL2BAN = /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status *
telegraf  ALL=(root) NOEXEC: NOPASSWD: FAIL2BAN
Defaults!FAIL2BAN !logfile, !syslog, !pam_session

Metrics

fail2ban
- tags:
  - jail
- fields:
  - failed (integer, count)
  - banned (integer, count)

Example Output

# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 5
|  |- Total failed:     20
|  `- File list:        /var/log/secure
`- Actions
   |- Currently banned: 2
   |- Total banned:     10
   `- Banned IP list:   192.168.0.1 192.168.0.2

fail2ban,jail=sshd failed=5i,banned=2i 1495868667000000000