The fail2ban plugin gathers the count of failed and banned ip addresses using
fail2ban.
This plugin runs the fail2ban-client
command which generally requires root
access. Acquiring the required permissions can be done using several methods:
- Use sudo run fail2ban-client.
- Run telegraf as root. (not recommended)
Global configuration options
In addition to the plugin-specific configuration settings, plugins support
additional global and plugin configuration settings. These settings are used to
modify metrics, tags, and field or create aliases and configure ordering, etc.
See the CONFIGURATION.md for more details.
Configuration
# Read metrics from fail2ban.
[[inputs.fail2ban]]
## Use sudo to run fail2ban-client
use_sudo = false
Using sudo
Make sure to set use_sudo = true
in your configuration file.
You will also need to update your sudoers file. It is recommended to modify a
file in the /etc/sudoers.d
directory using visudo
:
sudo visudo -f /etc/sudoers.d/telegraf
Add the following lines to the file, these commands allow the telegraf
user
to call fail2ban-client
without needing to provide a password and disables
logging of the call in the auth.log. Consult man 8 visudo
and man 5 sudoers
for details.
Cmnd_Alias FAIL2BAN = /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status *
telegraf ALL=(root) NOEXEC: NOPASSWD: FAIL2BAN
Defaults!FAIL2BAN !logfile, !syslog, !pam_session
Metrics
- fail2ban
- tags:
- fields:
- failed (integer, count)
- banned (integer, count)
Example Output
# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 5
| |- Total failed: 20
| `- File list: /var/log/secure
`- Actions
|- Currently banned: 2
|- Total banned: 10
`- Banned IP list: 192.168.0.1 192.168.0.2
fail2ban,jail=sshd failed=5i,banned=2i 1495868667000000000