Last active
August 1, 2023 03:33
-
-
Save johnstanfield/02c03284b8dca8b92c32be64985f8cab to your computer and use it in GitHub Desktop.
Configuration to make OSSEC HIDS watch fail2ban.log and alert on fail2ban actions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- add this to /var/ossec/etc/shared/agent.conf --> | |
| <localfile> | |
| <log_format>syslog</log_format> | |
| <location>/var/log/fail2ban.log</location> | |
| </localfile> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- add this to /var/ossec/etc/shared/fail2ban_rules.xml --> | |
| <group name="syslog,access_control,"> | |
| <rule id="25021" level="11"> | |
| <match>fail2ban.actions</match> | |
| <description>Fail2ban action taken</description> | |
| <group>authentication_failed,</group> | |
| </rule> | |
| </group> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- add this to /var/ossec/etc/ossec.conf --> | |
| <include>fail2ban_rules.xml</include> |
<include>fail2ban_rules.xml</include> is not a "real thing".
Rather, the rule file simply needs to be created in /var/ossec/etc/rules (or whichever path the end-user <rule_dir> element defines in the Manager's ossec.conf file), and then the Manager needs to be restarted for the rule to be effective.
One can easily verify that the rule is working as expected with ossec-logtest; just type the the string on which to match and hit Enter, e.g.:
# /var/ossec/bin/ossec-logtest
2021/01/13 13:36:15 ossec-testrule: INFO: Started (pid: 3563516).
ossec-testrule: Type one log per line.
fail2ban.actions
**Phase 1: Completed pre-decoding.
full event: 'fail2ban.actions'
timestamp: '(null)'
hostname: 'wazuh'
program_name: '(null)'
log: 'fail2ban.actions'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '25021'
Level: '11'
Description: 'Fail2ban action taken'
**Alert to be generated.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I can't find the part of the configuration where this would fit. I tried to put it in the multiple places of ossec.conf but ossec agent won't start with this parameter.
I also tried to wrap it with , but apparently "rules" is also not a valid tag. Same problem.
Getting fail2ban logs into ossec alerts would be so awesome. I've been struggling with this for weeks!
If you guys have any advice on this I would appreciate.