Skip to content
/ monitory Public

A small Bash script to summarize fail2ban/systemd/ModSecurity/Docker logs and report to Teams.

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

TassiloPitrasch/monitory

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
templates
templates
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
example_settings.json
example_settings.json
 
 
monitoring.sh
monitoring.sh
 
 

Repository files navigation

Basics

This is just a small script to process fail2ban/systemd/ModSecurity/Docker logs and report the findings to a Teams Channel via a Webhook.

Prerequisites

Easy:

  • Bash 4.x ➡️ test with echo $BASH_VERSION
  • curl >= 7.67.0 ➡️ test with curl --version
  • jq >= 1.6 ➡️ test with jq --version
  • envsubst >= 0.21 ➡️ test with envsubst --version
  • A Teams Channel to push to via a Webhook

Depending on the services you want to monitor:

  • systemd/ssh logs available via journalctl ➡️ test with journalctl -u ssh
  • fail2ban-client for the sshd jail ➡️ test with fail2ban-client status sshd
  • ModSecurity with an active, standard audit-log ➡️ compare your structure with the one described in the handbook
  • Docker ➡️ test with docker --version

Content

  • monitoring[.]sh: The main script that is executed
  • settings.json: Settings-file, see below for more information
  • log.txt: File for small diagnostic messages
  • temp/: Directory containing temporary files
  • templates/: Directory containing JSON templates that are merged to the message payload

Settings

The settings-file should look like this:

{
    "webhook_url": "URL to your Teams Channel",
    "summary": "Summary of the notification - metadata, is not displayed",
    "title": "Title of the notification - displayed as heading",
    "text": "Text for the notification - displayed as standard text",
    "color": "Base color for the notification (hex) - like fffff for white",
    "push_empty": "true/false - how to deal with empty section data",
    "private_names": [
      "Array of usernames", "that should be monitored"
    ],
    "modsec": {
       "audit_log": Path to the ModSecurity AUDIT-log to be monitored"
    },
    "services": {
      "docker": [
        "Array of Docker services (by container names)", "that should be monitored"
      ]
    }
}

Execution

./monitoring.sh - to run the script. Following checks can be executed by setting the corresponding flag.

  • -f: fail2ban ➡️ IPs newly blocked and unblocked by fail2ban. This flag needs an argument, either full if a list of the IP addresses should be displayed, numbers if the numbers are sufficient.
  • -s: ssh ➡️ Unsuccessful authentication attempts with the usernames defined in the settings-file.
  • -m: ModSecurity: ➡️ Traffic blocked by ModSecurity. This flag can handle an argument: the minimum severity of an event to have it included in the monitoring reports (from 0 - 5).
  • -d: Docker ➡️ Running Docker services as defined (by the respective container names) in the settings-file.

The metrics are collected since the last time the script was executed. During the first execution, the option --since yesterday is used for journalctl when grabbing the data for the third metric.

Note that no notification is send if no events were parsed.

About

A small Bash script to summarize fail2ban/systemd/ModSecurity/Docker logs and report to Teams.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Languages