- type: filestream
  id: fail2ban
  enabled: true
  paths:
    - /var/log/fail2ban.log
  include_lines: ['Ban','Unban','Found']
  processors:
    - add_tags:
        tags: ['fail2ban']
        target: "service.type"
    - add_tags:
        tags: ['fail2ban']
        target: "event.module"
    - add_tags:
        tags: ['intrusion_detection']
        target: "event.category"
    - dissect:
        when:
          contains:
            message: "INFO"
        tokenizer: "%{+timestamp} %{+timestamp} %{component->} [%{pid}]: %{log_level->} [%{jail}] %{action} %{ip|ip} - %{} %{}"
        field: "message"
        target_prefix: "fail2ban"
    - dissect:
        when:
          contains:
            message: "NOTICE"
        tokenizer: "%{+timestamp} %{+timestamp} %{component->} [%{pid}]: %{log_level->} [%{jail}] %{action} %{ip|ip}"
        field: "message"
        target_prefix: "fail2ban"