[SOLVED] fail2ban.log and rsyslog

Habitual · 04-30-2014, 03:11 PM

Using rsyslog on 5.8.6 on my Client, I can't seem to get /var/log/fail2ban.log from the client over to my rsyslogd 7.6.3 Server.

Fail2ban on the client is v0.8.6

in /etc/fail2ban/fail2ban.conf

Code:

# Fail2Ban configuration file
[Definition]
loglevel = 3
logtarget = SYSLOG
syslog-facility = 22
syslog-target = /var/log/fail2ban.log

in /etc/rsyslog.conf I set:

Code:

# 04/30/2014 11:44:50 AM
$ModLoad imfile
# File /var/log/fail2ban.log
$InputFileName /var/log/fail2ban.log
$InputFileTag c9mail_fail2ban
$InputFileStateFile state-fail2ban-entries
$InputFileSeverity severity
$InputFileFacility facility
$InputRunFileMonitor

*.* @<ip>:514

This gives me fail2ban* files on the rsyslog host-server:

Code:

fail2ban.filter.log
fail2ban.jail.log
fail2ban.server.log

But there's no record of any IPs that are banned.
I tried setting one manually using fail2ban-client using

Code:

fail2ban-client set zimbra banip 46.201.148.246

but this barfs with

Code:

WARNING 'socket' not defined in 'Definition'. Using default value
46.201.148.246

I "may" have to wait for fail2ban to do a ban automatically to see /var/log/firewall.log populated.

I have bounced rsyslogd and fail2ban during this time and it has made little difference.

So, is there something I have missed?

Thanks!

szboardstretcher · 04-30-2014, 03:12 PM

First thought is permissions.

Habitual · 04-30-2014, 03:19 PM

Thanks.

kernel.log works file, so I compared:

Code:

-rw-r----- 1 root   adm 20834 Apr 30 19:48 /var/log/fail2ban.log
-rw-r----- 1 syslog adm  4818 Apr 30 20:09 /var/log/kern.log

and set:

Code:

-rw-r----- 1 syslog adm 20834 Apr 30 19:48 /var/log/fail2ban.log
-rw-r----- 1 syslog adm  4818 Apr 30 20:09 /var/log/kern.log

and bounced:
I did get a "new" file that I expect to be where I'd see some f2b 'actions' set, fail2ban.actions.log

but it only shows:

Code:

Apr 30 20:17:00 cirrhus9a fail2ban.actions: INFO   Set banTime = 31556926
Apr 30 20:17:00 cirrhus9a fail2ban.actions: INFO   Set banTime = 31556926

Small 'progress' I guess.

szboardstretcher · 04-30-2014, 03:25 PM

Well, its a start anyway! As you are certainly aware, it is best to start at the first step of setup, and work to the end and doublecheck everything, before filing a bug report

What is your rsyslog config of kernel compared to fail2ban?

Do you have selinux enabled? I've had trouble with rsyslog and varnish because of selinux.

Habitual · 04-30-2014, 03:40 PM

Quote:

Originally Posted by szboardstretcher

Well, its a start anyway! As you are certainly aware, it is best to start at the first step of setup, and work to the end and doublecheck everything, before filing a bug report

What is your rsyslog config of kernel compared to fail2ban?

Do you have selinux enabled? I've had trouble with rsyslog and varnish because of selinux.

You edit almost as much as I do!

I set this after comparing to another f2b client I have and noticed these entries missing.

Code:

socket = /var/run/fail2ban/fail2ban.sock
pidfile = /var/run/fail2ban/fail2ban.pid

in /etc/fail2ban/fail2ban.conf and bounced f2b and now I am able to use

Code:

fail2ban-client set zimbra banip 46.201.148.246

without error AND this shows up in fail2ban.actions.log on the rsyslog-server:

Code:

Apr 30 20:35:01 cirrhus9a fail2ban.actions: WARNING [zimbra] Ban 46.201.148.246

It's a Good Day!

Thanks!

szboardstretcher · 04-30-2014, 03:43 PM

I probably over-edit. But it seems like after I reply, i have more ideas... :/ Im slow like that.

Wonderful my friend, glad it worked out. Thanks for posting the solution!

On another note, I used zimbra for a minute, but ended up using Zentyal community instead. Here is a link:

http://www.zentyal.org/

Very nice SBS with good AD compatibility.

Habitual · 04-30-2014, 03:52 PM

Quote:

Originally Posted by szboardstretcher

I probably over-edit. But it seems like after I reply, i have more ideas... :/ Im slow like that.

Me too.
I have 3 brain cells left and 2 are fighting at the moment.
Once the remaining one calls "timeout", then I have a chance to think and re-edit.

Plus, I don't get of the terminal much, so I don't communicate with people too well.

It's hard for me to communicate to others in simplistic terms what the issue is.
My brain goes full throttle 24/7/365

Peace.