plugins/inputs/fail2ban/README.md
This plugin gathers the count of failed and banned IP addresses using
fail2ban by running the fail2ban-client command.
[!NOTE] The
fail2ban-clientrequires root access, so please make sure to either allow Telegraf to run that command usingsudowithout a password or by running telegraf as root (not recommended).
⭐ Telegraf v1.4.0 🏷️ network, system 💻 all
Plugins support additional global and plugin configuration settings for tasks such as modifying metrics, tags, and fields, creating aliases, and configuring plugin ordering. See CONFIGURATION.md for more details.
# Read metrics from fail2ban.
[[inputs.fail2ban]]
## Use sudo to run fail2ban-client
# use_sudo = false
## Use the given socket instead of the default one
# socket = "/var/run/fail2ban/fail2ban.sock"
Make sure to set use_sudo = true in your configuration file.
You will also need to update your sudoers file. It is recommended to modify a
file in the /etc/sudoers.d directory using visudo:
sudo visudo -f /etc/sudoers.d/telegraf
Add the following lines to the file, these commands allow the telegraf user
to call fail2ban-client without needing to provide a password and disables
logging of the call in the auth.log. Consult man 8 visudo and man 5 sudoers for details.
Cmnd_Alias FAIL2BAN = /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status *
telegraf ALL=(root) NOEXEC: NOPASSWD: FAIL2BAN
Defaults!FAIL2BAN !logfile, !syslog, !pam_session
fail2ban,jail=sshd failed=5i,banned=2i 1495868667000000000
# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 5
| |- Total failed: 20
| `- File list: /var/log/secure
`- Actions
|- Currently banned: 2
|- Total banned: 10
`- Banned IP list: 192.168.0.1 192.168.0.2