Is it possible to configure my fail2ban jail.conf to inspect the docker logs instead of mounting the log in the host. for example to set the logpath to the path of the log of the container.
Jail.conf:
...
#example
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/lib/docker/containers/819564257d4*/*e0923e-json.log
...
but this doesn't do much, because there is a little difference between the docker logs command and the log file:
# docker logs @nginx_container_name
2016/03/23 12:39:52 [error] 6#6: *350 upstream prematurely closed connection while reading response header from upstream, client: @ATTACKER_IP, server: @MY_DNS, request: "GET /Blog/wp-login.php HTTP/1.1", upstream: "http://172.17.0.3:8001/Blog/wp-login.php", host: "@MY_IP:80" @ATTACKER_IP - - [23/Mar/2016:12:39:52 +0000] "GET /Blog/wp-login.php HTTP/1.1" 502 173 "-" "Python-urllib/2.7"
# cat /var/lib/docker/containers/819564257d4*/*e0923e-json.log
{"log":"2016/03/23 12:39:52 [error] 6#6: *350 upstream prematurely closed connection while reading response header from upstream, client: @ATTACKER_IP, server: @MY_DNS, request: \"GET /Blog/wp-login.php HTTP/1.1\", upstream: \"http://172.17.0.3:8001/Blog/wp-login.php\", host: \"@MY_IP:80\"\n","stream":"stdout","time":"2016-03-23T12:39:52.219982304Z"} {"log":"@ATTACKER_IP - - [23/Mar/2016:12:39:52 +0000] \"GET /Blog/wp-login.php HTTP/1.1\" 502 173 \"-\" \"Python-urllib/2.7\"\n","stream":"stdout","time":"2016-03-23T12:39:52.421767592Z"}
I'm accually mounting the log file into the host and I know that this is stupid, so my question is :
- is there any way to make the rsyslog read the json log file of the docker nginx container
- if not, how to configure docker to make a syslog log format
- if not , how to configure syslog on the container in order to pass the log to my host ?
Thanks !