Configuration to make OSSEC HIDS watch fail2ban.log and alert on fail2ban actions

agent.conf

<!-- add this to /var/ossec/etc/shared/agent.conf -->
<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/fail2ban.log</location>
</localfile>

fail2ban_rules.xml

<!-- add this to /var/ossec/etc/shared/fail2ban_rules.xml -->
<group name="syslog,access_control,">
  <rule id="25021" level="11">
    <match>fail2ban.actions</match>
    <description>Fail2ban action taken</description>
    <group>authentication_failed,</group>
  </rule>
</group>

ossec.conf

<!-- add this to /var/ossec/etc/ossec.conf -->
<include>fail2ban_rules.xml</include>

<include>fail2ban_rules.xml</include> is not a "real thing".

Rather, the rule file simply needs to be created in /var/ossec/etc/rules (or whichever path the end-user <rule_dir> element defines in the Manager's ossec.conf file), and then the Manager needs to be restarted for the rule to be effective.

One can easily verify that the rule is working as expected with ossec-logtest; just type the the string on which to match and hit Enter, e.g.:

# /var/ossec/bin/ossec-logtest
2021/01/13 13:36:15 ossec-testrule: INFO: Started (pid: 3563516).
ossec-testrule: Type one log per line.

fail2ban.actions


**Phase 1: Completed pre-decoding.
       full event: 'fail2ban.actions'
       timestamp: '(null)'
       hostname: 'wazuh'
       program_name: '(null)'
       log: 'fail2ban.actions'

**Phase 2: Completed decoding.
       No decoder matched.

**Phase 3: Completed filtering (rules).
       Rule id: '25021'
       Level: '11'
       Description: 'Fail2ban action taken'
**Alert to be generated.