← All dashboards

Fail2Ban Logs

Fail2Ban log analyses based on Loki and Promtail.

This Dashboard uses loki and promtail to scrape fail2ban logs. You need separate loki and promtail instances running to serve the data for Grafana. You can rename the labels to arbitrary values - the Dashboard supports selection based on labels.
I do use the solution with a fail2ban docker image, so mind this when reading through the docs.
The dashboard and the config are mostly based on this great gist and this piece.
This is the docker-compose.yml I use:

yaml 
version: '3'  

services:

  fail2ban:
    image: crazymax/fail2ban:latest
    container_name: fail2ban
    restart: "unless-stopped"
    network_mode: "host"
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      # stores filter.d, action.d and jail.d folders
      - ./fail2ban-data:/data
      # accesses logs from host machine
      - /var/log:/var/log:ro
      - /var/lib/docker/containers/:/container-logs/:ro
      - /etc/localtime:/etc/localtime:ro
      # shared folder for logs
      - ./fail2ban-logs:/fail2ban-logs
    environment:
      # reroute log to fail2ban.log file
      - F2B_LOG_TARGET=/fail2ban-logs/fail2ban.log
      - F2B_LOG_LEVEL=INFO
      - F2B_DB_PURGE_AGE=1d
      - F2B_MAX_RETRY=3
    logging:
      driver: "json-file"
      options:
        max-size: "5m"
        max-file: "10"

  promtail:
    image: grafana/promtail:latest
    container_name: promtail
    restart: unless-stopped
    command: -config.file=/etc/promtail/docker-config.yaml
    volumes:
      # folder for promtail config
      - ./promtail:/etc/promtail
      # accesses fail2ban shared folder
      - ./fail2ban-logs:/var/log/fail2ban:ro

  loki:
    image: grafana/loki:main
    container_name: loki
    restart: always
    ports:
      - 3100:3100
    volumes:
      - ./loki:/loki

And this is used for the ./promtail/docker-config.yaml:
(Please feel free to adjust instance, app and env labels according to your preferences)

yaml 
server:
  http_listen_port: 9080
  grpc_listen_port: 0
positions:
  filename: /tmp/positions.yaml
clients:
  - url: http://loki:3100/loki/api/v1/push
scrape_configs:

  - job_name: fail2ban
    static_configs:
      - targets:
        - localhost
        labels:
          __path__: /var/log/fail2ban/fail2ban.log
          instance: your-instance-identifier
          app: fail2ban
          env: test-env
    pipeline_stages:
      - multiline:
          firstline: '\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}'
      - regex:
          expression: >-
            ^(?s)(?P<time>\S+? \S+?)
            (fail2ban\.)(?P<component>\S+)\s*
            \[(?P<pid>\S+)\]:
            (?P<priority>\S+)\s*
            (?P<message>.*?)$
      - timestamp:
          source: time
          format: '2006-01-02 15:04:05,000'
      - labels:
          component:
          priority:
      - output:
          source: message
      # Extract jail from message, if present
      - match:
          # Note: backticks do not work in promtail, so weird escaping is needed
          selector: '{job="fail2ban"} |~ "\\\\[\\\\S+\\\\] .*"'
          stages:
            - regex:
                expression: '(\[(?P<jail>\S+)\] )?(?P<message>.*?)$'
            - labels:
                jail:
            - output:
                source: message
      - labeldrop:
          - filename

Dashboard revisions

RevisionDecscriptionCreated

Reviews

Login or Sign up to write a review

Reviews from the community

Get this dashboard

Data source:

Dependencies:

Import the dashboard template:

or

Download JSON

Docs: Importing dashboards

Downloads: 8