is it possible to notify me, then the “BanCounter” (fail2ban.jails_in_jail) count in 5 minutes more then 3 new IPs?
Thx for this great tool and your help.
my test-config looks like that:
# /usr/lib/netdata/conf.d/health.d/fail2ban.conf
alarm: fail2ban
on: fail2ban.jails_in_jail
lookup: average -1m collected_total_raw
every: 60s
warn: $this > 2
delay: down 5m multiplier 1.5 max 1h
plugin: python.d.plugin
module: fail2ban
info: fail2ban more then 2 in 1 minute
to: sysadmin
If you want if sum of jailed IPs (sum) more then 3 ($this > 3) and get notified after it’s been so for 5 minutes (up 5m), try the following:
alarm: fail2ban
on: fail2ban.jails_in_jail
lookup: sum -10s
every: 10s
warn: $this > 3
delay: up 5m down 1m multiplier 1.5 max 1h
info: fail2ban more then 3 in 5 minute
to: sysadmin
and get notified
I mean via email or whatever notification method you are using.
Hello Ilyam,
thx for your answer. My Fail2ban configuration is banning permanently, so the „Ban-Counter“ is growing with any new ban. I want to notify, when fail2ban log more then 3 new Bans in 5 minutes.
Example:
22:00:00 Total Bans: 55
22:04:00 Total Bans: 58+ notify me (pushover)
Then we need jails_bans chart, it contains bans rate - check every 5m minutes last 5 minutes of data. Would that do?
alarm: fail2ban
on: fail2ban.jails_bans
lookup: sum -5m
every: 5m
warn: $this > 3
delay: down 5m multiplier 1.5 max 1h
info: fail2ban more then 3 in 5 minute
to: sysadmin
