Fail2ban Monitoring

Why use a Telegraf plugin for Fail2ban?

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Using this Fail2ban Telegraf plugin will allow you to collect and monitor the failed and banned IP addresses that you specify over time.

How to monitor Fail2ban using the Telegraf plugin

The Fail2ban Telegraf Plugin gathers the count of failed and banned IP addresses using Fail2ban.

This plugin runs the fail2ban-client command which generally requires root access. Acquiring the required permissions can be done using several methods:

  • Use sudo run fail2ban-client.
  • Run telegraf as root. (not recommended)
Example output
# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 5
|  |- Total failed:     20
|  `- File list:        /var/log/secure
`- Actions
   |- Currently banned: 2
   |- Total banned:     10
   `- Banned IP list:   192.168.0.1 192.168.0.2

fail2ban,jail=sshd failed=5i,banned=2i 1495868667000000000

Key Fail2ban metrics to use for monitoring

Some of the important Fail2ban metrics that you should proactively monitor include:

  • tags:
    • jail
  • fields:
    • failed (integer, count)
    • banned (integer, count)
For more information, please check out the documentation.

Project URL   Documentation

Related resources