Clearing out Fail2ban log files

elvislives · October 17, 2017, 2:11pm

My system (FreePBX 13.0.191.11) keeps running out of disk space and the issue is the Fail2ban log files. There is a 1.35GB fail2ban.2 file that is 5 months old. The fail2ban.1, fail2ban.3, fail2ban.4, fail2ban.5 & fail2ban.6 files all seem to be truncated. Is there any way that I can truncate the logs? I tried issuing:

service fail2ban stop
truncate -s 0 /var/log/fail2ban.log
service fail2ban restart

But it didn’t reduce the log files at all.

Is it possible to stop the service and just delete all of the Fail2ban files in the /var/log/asterisk directories? Does anyone have any suggestions as to how to keep these log files maintained at a minimal level.

The largest files, in order of size, are as follows:

fail2ban.2 = 1.35GB
fail2ban-20171011 = 1.16GB
fail2ban-20171012 = 999,913KB
fail2ban-20171016 = 588,384KB
fail2ban-20171017 = 171,427KB
fail2ban-20171013 = 85,883KB
fail2ban-20171014 = 61,299KB
fail2ban-20171015 = 20,902KB

dicko · October 17, 2017, 2:53pm

modify the /etc/logrotate.d/fail2ban file

man logrotate

elvislives · October 18, 2017, 12:39pm

Hi Dicko,

Many thanks for the response. I’ve been trying to follow up on your suggestion to see what “man logrotate” means, but I am not too sure I have done anything of value.

My fail2ban file now shows:

/var/log/fail2ban.log {
missingok
# Customization: compress log files to save disk space
compress
# Customization: decrease log retention time from the default 7 days
rotate 5
notifempty
size 30k
create 0600 root root
postrotate
/usr/bin/fail2ban-client set logtarget /var/log/fail2ban.log 1>/dev/null || true
#/usr/bin/fail2ban-client reload 2> /dev/null || true
endscript
}

But there are still 7 fail2ban-YYYYMMDD files in the /var/log/asterisk directory, and there is still a 1.35GB fail2ban.2 file dated 17th May 2017 (5 months old).

Do you have any pointers, or is there any chance that you can elaborate?

ngingras · October 18, 2017, 3:00pm

I would examine the logs and try to figure out what’s filling them up and correct it. Could be a really low registration timeout, could be an indication of attacks on the server, could be a forgotten extension on a whitelisted network repeatedly trying to authenticate with a bad username/secret.

dicko · October 18, 2017, 3:08pm

you apparently have 2 logrotate files, the one you quote can be deleted and then look for the one with dateext in it.

logrotate -v /etc/logrotate.conf |less

elvislives · October 31, 2017, 8:41am

Hi Dicko, much appreciation for your help. I removed the files and there were no side effects. There was a day where someone was trying to force their way on to the pbx, and this seems to have filled up the log. I am not sure why there was a file that was months old, and still need to investigate at some point, but for the time being the HDD has a bit more room.