2017-05-23 12:39:10 +02:00
Enable Rsyslog to receive logs on 524/tcp at `rsyslog.conf` :
2017-05-06 00:22:26 +02:00
```
# This setting depends on your Rsyslog version and configuration format.
# For most Debian derivates it will work like this...
$ModLoad imtcp
$TCPServerAddress 127.0.0.1
$InputTCPServerRun 524
# ...while for Ubuntu 16.04 it looks like this:
module(load="imtcp")
input(type="imtcp" address="127.0.0.1" port="524")
# No matter your Rsyslog version, you should set this option to off
# if you plan to use Fail2ban
$RepeatedMsgReduction off
```
Restart rsyslog after enabling the TCP listener.
Now setup Docker daemon to start with the syslog driver.
This enables the syslog driver for all containers!
2017-05-23 12:39:10 +02:00
Linux users can add or change the configuration in `/etc/docker/daemon.json` . Windows users please have a look at the [docker documentation ](https://docs.docker.com/engine/reference/commandline/dockerd//#windows-configuration-file ) :
2017-05-06 00:22:26 +02:00
```
2017-05-23 12:39:10 +02:00
{
2017-05-06 00:22:26 +02:00
...
2017-05-23 12:39:10 +02:00
"log-driver": "syslog",
"log-opts": {
"syslog-address": "tcp://127.0.0.1:524"
}
2017-05-06 00:22:26 +02:00
...
2017-05-23 12:39:10 +02:00
}
2017-05-06 00:22:26 +02:00
```
2017-05-23 12:39:10 +02:00
!!! info
If you prefere the udp protocol use:
2017-05-23 12:40:54 +02:00
2017-05-23 12:39:10 +02:00
```
$ModLoad imudp
$UDPServerRun 524
```
at `rsyslog.conf` and `"syslog-address": "udp://127.0.0.1:524"` at `daemon.json` .
2017-05-06 00:22:26 +02:00
Restart the Docker daemon and run `docker-compose down && docker-compose up -d` to recreate the containers.
2017-05-23 12:39:10 +02:00
2017-05-06 00:22:26 +02:00
### Fail2ban
**This is a subsection of "Log to Syslog", which is required for Fail2ban to work.**
Open `/etc/fail2ban/filter.d/common.conf` and search for the prefix_line parameter, change it to ".*":
```
__prefix_line = .*
```
Create `/etc/fail2ban/jail.d/dovecot.conf` ...
```
[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/syslog
chain = FORWARD
```
and `jail.d/postfix-sasl.conf` :
```
[postfix-sasl]
enabled = true
filter = postfix-sasl
logpath = /var/log/syslog
chain = FORWARD
```
Restart Fail2ban.