From 6b2a5bdf071b4bacdfd15a532d23014ca99ee271 Mon Sep 17 00:00:00 2001
From: Kazuhiro MUSASHI <simoom634@yahoo.co.jp>
Date: Sat, 26 Sep 2020 17:20:04 +0900
Subject: [PATCH] Add monitoring condition for the logs containing "already
 banned".

---
 .../promtail/templates/etc/promtail/base.yaml   | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/cookbooks/promtail/templates/etc/promtail/base.yaml b/cookbooks/promtail/templates/etc/promtail/base.yaml
index 1be2338..feebf11 100644
--- a/cookbooks/promtail/templates/etc/promtail/base.yaml
+++ b/cookbooks/promtail/templates/etc/promtail/base.yaml
@@ -158,7 +158,7 @@ scrape_configs:
       labels:
         job: fail2ban
         hostname: <%= @HOSTNAME %>
-        level: notice
+        level: info
         __path__: /var/log/fail2ban.log
 
     pipeline_stages:
@@ -168,7 +168,6 @@ scrape_configs:
         - regex:
             expression: '^(?P<timestamp>[0-9]+\-[0-9]+\-[0-9]+ [0-9]+:[0-9]+:[0-9]+),[0-9]+ [^:]+: (?P<level>[^ ]+)[^\[]+(?P<message>.+)$'
 
-
         - timestamp:
             source: timestamp
             format: 2006-01-02 15:04:05
@@ -184,6 +183,20 @@ scrape_configs:
         - output:
             source: message
 
+    - match:
+        selector: '{job="fail2ban"} |~ "already banned"'
+        stages:
+        - regex:
+            expression: '^(?P<timestamp>[0-9]+\-[0-9]+\-[0-9]+ [0-9]+:[0-9]+:[0-9]+),[0-9]+ [^:]+: (?P<level>[^ ]+)[^\[]+(?P<message>.+)$'
+
+        - timestamp:
+            source: timestamp
+            format: 2006-01-02 15:04:05
+            location: Asia/Tokyo
+
+        - output:
+            source: message
+
   - job_name: promtail
     static_configs:
     - targets: