*/report/
The report provides valaubale information from your processed data. The duration of a "recent report", Known Devices, and other options can be set in the Report Settings. See the Custom Dates setting for report generation over a chosen time range.
Below is the overall summary shown at the top of the report. The Daily Action Counts chart summarizes key connections.
hover over any chart on the report for detailed data, see demonstration page
Daily Action Counts
- fail2ban Finds (unique IP/filter), overlap of filters possible
... [filter] Found <IP> ... - fail2ban Bans (unique IP/filter), overlap of filters possible
... [filter] Ban <IP> - outside Visitors (unique IP), from error and access logs
- fail2ban Ignores (total)
... [filter] Ignore <IP> ... - home Ignorable (total) - see bottom row of home summary table
→ 
On the Report page, the a Contents button is added to the navigation bar. It provides convenient scrolling to the report's sections.
*/settings/#Report
The image shows the available Report Settings. All the settings shown were modified from their defaults. Report settings are on the same page as Geography Settings, and can be accessed from the Options drop-down menu.
Known Devices can be used to separate some Outside connections from the rest of the pack. They are identified by their user-agent AKA tech. Once Known Devices have been identified, they can be separated / excluded from a number of report features.
The setting for fail2ban home ignores may seem redundant, provided the upcoming discussion in the Home section. If fail2ban ignores are found, they are matched to home request(s) based on timestamp and presented together in the Home Ignores table.
Given that many requests can happen within a second, and access.log's time resolution of one second vs. fail2ban.log's one milli-second resolution, speciying home connections that should be ignored (ignorable) will help match the appropriate home requests with fail2ban ignores. Excess matches may be presented otherwise.
Current implementation of fail2ban Home Ignores may be susceptible to SQL injection, use with caution1
usage
Report Setting: (status ...), see database querying for help determining setting
--SQL Selects in Report:
--Home Ignores. time selection omitted from example
SELECT DISTINCT date_trunc('second', fail2ban.date) "time", filter, <access_info>
FROM "fail2ban" INNER JOIN "access" on date_trunc('second',fail2ban.date) = access.date
WHERE access.home=True AND fail2ban.home=True AND fail2ban.action='Ignore'
-- further specify what might have been ignored
-- 4xx status codes or non HTTP/2 connections
AND (status BETWEEN 400 AND 499 OR http<20)
1If BeatLog is used on a private, trusted network, then it is unlikely that you will do harm to your database with a bad fail2ban Home Ignores setting, but it is probable that your Report will not load and result in a 500 error. Container logs may help in this case.
*/settings/#Custom
The form to generate Maps or Reports over a user-defined date range is on the bottom of the Report and Geography Settings page, and can also be accessed from the Options drop-down menu.
You can get a sense of how the report looks and feels by checking out the demonstration page. Some links on the page are disabled, and some data has been modified or redacted for sharing. Links to the various sections of the demo report will be provided with each corresponding section on the documentation.
Home |demo|
The home connections are summarized in a few tables and bar charts. I have strict fail2ban filters setup for connections that:
- do not use
HTTP/2, i.e.HTTP/1.0orHTTP/1.1connections - return 4xx status codes, client errors
Therefore, I flag these connections as home ignorable, indicated in the bottom row of the summary table and the action count chart above. Daily Action Counts above shows a fortunate situation. Despite a number of home ignorable connections, no fail2ban filters registered ignores. This suggests that the exceptions (ignoreregex) I have in my strict filters are allowing what I want them to.
Note DSub and the blurred user-agents in the Home Devices table. These are used in the Known Devices setting, to separate certain Outside connections.
As discussed above, no fail2ban home ignores were found in the report duration. If they were, they would be presented in the Home Summary, as shown below.
Home Ignores
The 404 status returns were caught by the nginx-http filter. These requests would have resulted in a ban if the IP were not ignored, as set in jail.local.
Outside |demo|
Outside provides more detail than Home. The Hit Counts by Log chart (top-right) lists the number of IPs that had a certain number of connections, "hits". For unwanted visitors, the amount of hits should be low. The graph below indicates that most visitors (>100) only had one connection to the server.
Note one Outsider had 5 requests. It is also shown in the Frequent Visitors table, which indicates that the IP's 5 hits occured within one second, and it was promptly banned.
As referenced in the Home Devices table, a separate Frequent Visitors - Known Devices table is provided due to the report settings. These IPs were separated based on their user-agents (tech), and are not shown in the Hit Counts by Log table.
A number of Top 10 tables are presented in the Outside section. The data in these tables may help design fail2ban filters. Top 10 tables also show the average data returned by the requests.
Again, the report settings allow Known Devices to be separated into their own tables.
fail2ban |demo|
The fail2ban section provides a bar-chart summarizing the filters used (and a table for un-used filters, if present). A section of the recent-actions table is shown in the image, which can serve as a sanity check. Are filters finding, and then banning IPs as expected with their number of retries?
Not shown in the image are filtrate tables. Any outside connections from IPs that were not found or banned by fail2ban will be listed according to their log.
Filtrate
These visitors were not picked up by fail2ban, at least within the duration of the report. They would be prime candidates for the Beat Button!
On the right side of the navigation bar is a text-box combined with a Beat button. This is intended as a companion when reviewing logs or the Report. Enter a valid IP address and press the button to open a new tab showing recent connections and fail2ban entries matching the IP address.
In this example, the Top 10 Data Transfers will be referenced to supply an IP address.
The connection from the table is the only one from 54.226.246.60 in the database. This same connection was Found and Banned by fail2ban.
The Database Explorer can provide deeper looks into a visitor, if 10 hits is not enough.