Re: [rsyslog] rsyslog and fail2ban

Tue, 31 Jan 2017 13:22:33 -0800 

On Tue, 31 Jan 2017, James wrote:


Hi,

I'm new to rsyslog, trying to get something fairly basic to work but
failing to follow the documentation it seems.

I use fail2ban which is hard-coded to output its syslog at facility
"daemon". I could edit the source, but would rather skin the cat another
way.

daemon.* obviously has lots of other stuff (DHCP, Automount, etc) and I'd
like to filter it. I want to send all fail2ban logs to a separate file and
I want to send the lines specific to ban/unbans to a remote server. What
I've got in my rsyslog.conf is:

#Log all fail2ban locally
:syslogtag, contains, "fail2ban"
daemon.* /var/log/fail2ban.log


you ahve two different statements here, only one of which is complete

:syslogtag, contains, "fail2ban" /var/log/fail2ban.log



#Log bans & unbans to remote
:msg, contains, "ssh-slowattack"
daemon.* @@10.0.0.1:5000

What I get with this is a blank fail2ban.log and *all* daemon facility
events on the remote server. Example log portion:

<30>Jan 31 09:08:55 testserver fail2ban.jail   : INFO   Jail 'fail2ban'
started
<28>Jan 31 09:11:38 testserver fail2ban.actions: WARNING [ssh-slowattack]
Ban 10.0.0.2
<28>Jan 31 09:17:05 testserver fail2ban.actions: WARNING [ssh-slowattack]
Unban 10.0.0.2
<30>Jan 31 10:39:37 testserver dhclient: DHCPREQUEST on eth0 to 10.10.0.1
port 67

Rsyslog version, which I can't currently change, is rsyslog-3.22.1-7.el5

Thanks
James
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to