This content pack install a pipeline (with pipeline rules) and a grok pattern.
This pipeline parse fail2ban log received with a GROK pattern to create fields such as clientip to use with Graylog Geolocation.
2020-03-27 20:16:27,162 fail2ban.actions [2667]: NOTICE [sshd] Ban 1.1.1.1
f2b_timestamp: 2018-02-09 10:05:21,431
action: Ban
clientip: 1.1.1.1
digit: 2667
log_level: NOTICE
method: actions
service: sshd
src_app: fail2ban
I personally use filebeat to collect logs.
To better filter logs this pipeline rule search for specific additional field called log_application with the value of fail2ban.
You can customize this field as you want editing content-pack.json
"source": {
"@type": "string",
"@value": "rule \"Is Fail2ban\"\nwhen\n has_field(\"log_application\") and to_string($message.log_application) == \"fail2ban\"\nthen\nend"
}
You can add additional custom fields directly from Graylog Beats Input Configuration
Go to Graylog Admin Interface -> System -> Content Packs then click Upload button and select content-pack.json file.
Follow the instructions to enable Graylog Geolocation and you will be able to create your dashboard.
GROK pattern was inspired from https://github.com/kurobeats/Fail2ban-GROK-Log-Pattern/blob/master/27-fail2ban_log.conf
This project is licensed under the MIT License.
See LICENSE.md for details.