How to configure fail2ban with systemd journal

fail2bansystemd-journald

I've install fail2ban on Debian Jessie LXC container, currently it's failing due to:

Starting authentication failure monitor: fail2ban
ERROR  No file(s) found for glob /var/log/auth.log
ERROR  Failed during configuration: Have not found any log file for ssh jail

There's no syslog or rsyslog on the system and thus /var/log/auth.log is not generated. Is there a way how to tell fail2ban to use output of journalctl _COMM=sshd?

Best Answer

For systemd systems:

You have to specify the backend in /etc/fail2ban/jail.conf to use systemd as follows:

backend = systemd

Then restart fail2ban:

systemctl restart fail2ban

Edit:

I'm a heavy CentOS/RHEL/Fedora guy so you may have to adapt what I say a bit. As far as this answer, you may have to update the fail2ban package to a version that supports systemd as a backend or you'll have to install rsyslog and add the following to your /etc/rsyslog.conf:

authpriv.*      /var/log/auth.log

This will make sure sshd auth logs are logging to /var/log/auth.log which will be read by the default pyinotify backend in fail2ban:

Best Answer

Related Solutions

systemd – How to Inspect Systemd Journal Files Directly

Related Question