LinuxQuestions.org - [SOLVED] fail2ban.log and rsyslog

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - fail2ban.log and rsyslog (https://www.linuxquestions.org/questions/linux-security-4/fail2ban-log-and-rsyslog-4175503486/)

fail2ban.log and rsyslog

Using rsyslog on 5.8.6 on my Client, I can't seem to get /var/log/fail2ban.log from the client over to my rsyslogd 7.6.3 Server.

Fail2ban on the client is v0.8.6

in /etc/fail2ban/fail2ban.conf

Code:

# Fail2Ban configuration file

[Definition]

loglevel = 3

logtarget = SYSLOG

syslog-facility = 22

syslog-target = /var/log/fail2ban.log

in /etc/rsyslog.conf I set:

Code:

# 04/30/2014 11:44:50 AM

$ModLoad imfile

# File /var/log/fail2ban.log

$InputFileName /var/log/fail2ban.log

$InputFileTag c9mail_fail2ban

$InputFileStateFile state-fail2ban-entries

$InputFileSeverity severity

$InputFileFacility facility

$InputRunFileMonitor



*.* @<ip>:514

This gives me fail2ban* files on the rsyslog host-server:

Code:

fail2ban.filter.log

fail2ban.jail.log

fail2ban.server.log

But there's no record of any IPs that are banned.
I tried setting one manually using fail2ban-client using

Code:

fail2ban-client set zimbra banip 46.201.148.246

but this barfs with

Code:

WARNING 'socket' not defined in 'Definition'. Using default value

46.201.148.246

I "may" have to wait for fail2ban to do a ban automatically to see /var/log/firewall.log populated.

I have bounced rsyslogd and fail2ban during this time and it has made little difference.

So, is there something I have missed?

Thanks!

First thought is permissions.

Thanks.

kernel.log works file, so I compared:

Code:

-rw-r----- 1 root  adm 20834 Apr 30 19:48 /var/log/fail2ban.log

-rw-r----- 1 syslog adm  4818 Apr 30 20:09 /var/log/kern.log

and set:

Code:

-rw-r----- 1 syslog adm 20834 Apr 30 19:48 /var/log/fail2ban.log

-rw-r----- 1 syslog adm  4818 Apr 30 20:09 /var/log/kern.log

and bounced:
I did get a "new" file that I expect to be where I'd see some f2b 'actions' set, fail2ban.actions.log

but it only shows:

Code:

Apr 30 20:17:00 cirrhus9a fail2ban.actions: INFO  Set banTime = 31556926

Apr 30 20:17:00 cirrhus9a fail2ban.actions: INFO  Set banTime = 31556926

Small 'progress' I guess.

Well, its a start anyway! As you are certainly aware, it is best to start at the first step of setup, and work to the end and doublecheck everything, before filing a bug report :)

What is your rsyslog config of kernel compared to fail2ban?

Do you have selinux enabled? I've had trouble with rsyslog and varnish because of selinux.

Quote:

Originally Posted by szboardstretcher (Post 5162158)

You edit almost as much as I do! ;)

I set this after comparing to another f2b client I have and noticed these entries missing.

Code:

socket = /var/run/fail2ban/fail2ban.sock

pidfile = /var/run/fail2ban/fail2ban.pid

in /etc/fail2ban/fail2ban.conf and bounced f2b and now I am able to use

Code:

fail2ban-client set zimbra banip 46.201.148.246

without error AND this shows up in fail2ban.actions.log on the rsyslog-server:

Code:

Apr 30 20:35:01 cirrhus9a fail2ban.actions: WARNING [zimbra] Ban 46.201.148.246

It's a Good Day!

Thanks!

I probably over-edit. But it seems like after I reply, i have more ideas... :/ Im slow like that.

Wonderful my friend, glad it worked out. Thanks for posting the solution!

On another note, I used zimbra for a minute, but ended up using Zentyal community instead. Here is a link:

http://www.zentyal.org/

Very nice SBS with good AD compatibility.

Quote:

Originally Posted by szboardstretcher (Post 5162167)

I probably over-edit. But it seems like after I reply, i have more ideas... :/ Im slow like that.

Me too.
I have 3 brain cells left and 2 are fighting at the moment.
Once the remaining one calls "timeout", then I have a chance to think and re-edit.

Plus, I don't get of the terminal much, so I don't communicate with people too well.

It's hard for me to communicate to others in simplistic terms what the issue is.
My brain goes full throttle 24/7/365

Peace.