Integration of wazuh with fail2ban

[Mucyo Patrick]

 Hello everyone, I'm experiencing an issue with my integration of Wazuh and Fail2Ban. The Wazuh agent is analyzing the file located at /var/log/fail2ban.log and sending it to the Wazuh manager. I've tried multiple decoders and rules to generate alerts, but none of them have worked so far. If anyone can share working decoders and rules for this type of Fail2Ban log, it would be greatly appreciated.

2025-07-30 03:33:07,594 fail2ban.actions        [713]: NOTICE  [sshd] Ban 192.168.1.104
2025-07-30 03:33:07,763 fail2ban.actions        [713]: NOTICE  [sshd] Ban 192.168.1.105
2025-07-30 03:33:19,938 fail2ban.actions        [713]: NOTICE  [sshd] Ban 192.168.1.106
2025-07-30 03:33:20,030 fail2ban.actions        [713]: NOTICE  [sshd] Ban 192.168.1.107

  

[Bony V John]

Hi,

Please allow me some time. I’m currently working on this and will get back to you with an update as soon as possible.

[Bony V John]

Hi,

Based on the logs you shared, I’ve written a sample decoder and rule to trigger alerts and display them on the Wazuh dashboard. I’ve tested it in my environment, and it’s working as expected. You can try the following sample decoder and rule on your Wazuh setup:

Sample decoder:

<decoder name="fail2ban">
    <prematch>[\d+]:\s*\w+\s*[\w*]</prematch>
</decoder>

<decoder name="fail2ban">
    <parent>fail2ban</parent>
    <regex>[(\d+)]:\s*(\w+)\s*[(\w*)]\s*(\w*)\s*(\d+.\d+.\d+.\d+)$</regex>
    <order>process_id,log_level,jail,action,srcip</order>
</decoder>

Sample rule:

<group name="fail2ban,">
  <rule id="100190" level="5">
    <decoded_as>fail2ban</decoded_as>
    <action>Ban</action>
    <description>Fail2Ban has banned an IP address: $(srcip) from jail: $(jail)</description>
    <group>ban_event,</group>
  </rule>
</group>

• In the decoder, the <prematch> tag is used to pre-filter log lines for matching the decoder by using regex based on the log format, which improves performance and accuracy.
• You can refer to the Wazuh regular expressions documentation to understand how to tailor the regex pattern based on your actual log format.
• For writing or modifying decoders, refer to the Wazuh decoder syntax documentation.
• The above custom rule triggers an alert only when the action field in the log equals Ban, and assigns a rule level of 5. 
• You can customize or add more rules based on your specific requirements by referring to the Wazuh rules syntax guide.

I’ve also attached a screenshot of my testing for your reference.

[Anderson Lima]

Hi guys, i'm struggling to create a decoder that works with two different Fail2ban log formats from different Ubuntu versions. I'd appreciate any guidance. 

Working log (Ubuntu 20+):
2025-11-18 13:05:39,117 fail2ban.actions        [2738784]: NOTICE  [plesk-wordpress] Ban 2.22.61.151
Not working log (Ubuntu 14):
2025-11-18 14:00:07,544 fail2ban.actions: WARNING [ssh] Ban 172.16.99.145

The only difference I've identified is that the Ubuntu 14 log lacks the process_id [2738784]. I'm using the decoder from this post and have tested several variations without success.  

The decoder is identified but doesn't extract any fields. The log goes to archives without being decoded.

Has anyone successfully created a Fail2ban decoder that handles both formats? What am I missing in my regex pattern?

Thank you in advance!