How to Configure Multiple Log Paths in a Single Fail2ban Jail: A Practical Guide


1 views

When administering web servers with multiple virtual hosts, we often need fail2ban to monitor authentication attempts across various log files. The common scenario involves:

  • Main Apache/Nginx error logs
  • Virtual host-specific error logs
  • Application-specific error logs

For fail2ban 0.9+, you can specify multiple log paths with this syntax:

[apache-w00tw00t]
enabled  = true
filter   = apache-w00tw00t
action   = iptables-allports
logpath  = /var/log/apache*/*error.log
         /var/www/vhosts/site1.com/log/errorlog
         /var/www/vhosts/site1.com/subdom/log/errorlog
         /var/www/vhosts/site3/log/errorlog
         /var/www/vhosts/site4/log/errorlog
maxretry = 1

For older fail2ban versions or complex scenarios, consider these workarounds:

# Method 1: Using wildcards (when possible)
logpath = /var/www/vhosts/*/log/errorlog

# Method 2: Symbolic links
ln -s /var/www/vhosts/site1.com/log/errorlog /var/log/fail2ban/site1_error.log
logpath = /var/log/fail2ban/*.log

For complex environments with different log formats:

[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /var/log/nginx/*error.log
         /var/log/nginx/*/error.log
         /opt/webapps/*/logs/error.log
maxretry = 2
findtime = 3600
bantime = 86400

After configuration, always test with:

# Verify configuration
fail2ban-client -d

# Test regex matching
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-w00tw00t.conf

# Monitor jail status
fail2ban-client status apache-w00tw00t

When monitoring multiple logs:

  • Rotate logs regularly to prevent large file scanning
  • Consider using tail backend for active monitoring
  • Adjust findtime based on log volume

When working with fail2ban, administrators often need to monitor multiple log files for the same attack pattern. The common scenario involves:

  • Multiple virtual hosts with separate error logs
  • Different Apache/Nginx instances
  • Split log files for various subdomains

The proper way to specify multiple log paths in a jail.local configuration is:

[apache-w00tw00t]
enabled  = true
filter   = apache-w00tw00t
action   = iptables-allports
logpath  = /var/log/apache*/*error.log
         /var/www/vhosts/site1.com/log/errorlog
         /var/www/vhosts/site1.com/subdom/log/errorlog
         /var/www/vhosts/site3/log/errorlog
         /var/www/vhosts/site4/log/errorlog
maxretry = 1

Important technical considerations:

# Each logpath entry should be on a new line
# No comma or semicolon separation needed
# Maintain consistent indentation (spaces preferred)
# Wildcards work within individual paths but can't span different directory structures

For distributed systems where logs might be on different servers:

# Option 1: Centralized logging with rsyslog
logpath = /var/log/remote/*/apache/error.log

# Option 2: Using fail2ban's multi-server capabilities
[sshd]
enabled = true
logpath = /var/log/auth.log
         /mnt/nfs/logs/web01/auth.log
         /mnt/nfs/logs/web02/auth.log

After configuration, always test with:

fail2ban-client status apache-w00tw00t
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-w00tw00t.conf

When monitoring numerous log files:

  • Consider log rotation impact
  • Monitor fail2ban's memory usage
  • Evaluate filesystem inotify limits