-
-
Save johnstanfield/02c03284b8dca8b92c32be64985f8cab to your computer and use it in GitHub Desktop.
<!-- add this to /var/ossec/etc/shared/agent.conf --> | |
<localfile> | |
<log_format>syslog</log_format> | |
<location>/var/log/fail2ban.log</location> | |
</localfile> |
<!-- add this to /var/ossec/etc/shared/fail2ban_rules.xml --> | |
<group name="syslog,access_control,"> | |
<rule id="25021" level="11"> | |
<match>fail2ban.actions</match> | |
<description>Fail2ban action taken</description> | |
<group>authentication_failed,</group> | |
</rule> | |
</group> |
<!-- add this to /var/ossec/etc/ossec.conf --> | |
<include>fail2ban_rules.xml</include> |
I can't find the part of the configuration where this would fit. I tried to put it in the multiple places of ossec.conf but ossec agent won't start with this parameter.
I also tried to wrap it with , but apparently "rules" is also not a valid tag. Same problem.
Getting fail2ban logs into ossec alerts would be so awesome. I've been struggling with this for weeks!
If you guys have any advice on this I would appreciate.
<include>fail2ban_rules.xml</include>
is not a "real thing".
Rather, the rule file simply needs to be created in /var/ossec/etc/rules
(or whichever path the end-user <rule_dir>
element defines in the Manager's ossec.conf
file), and then the Manager needs to be restarted for the rule to be effective.
One can easily verify that the rule is working as expected with ossec-logtest
; just type the the string on which to match and hit Enter, e.g.:
# /var/ossec/bin/ossec-logtest
2021/01/13 13:36:15 ossec-testrule: INFO: Started (pid: 3563516).
ossec-testrule: Type one log per line.
fail2ban.actions
**Phase 1: Completed pre-decoding.
full event: 'fail2ban.actions'
timestamp: '(null)'
hostname: 'wazuh'
program_name: '(null)'
log: 'fail2ban.actions'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '25021'
Level: '11'
Description: 'Fail2ban action taken'
**Alert to be generated.
This is nice. Thank you.
Am i allowed to request it into ossec directly?
Best Regards