4.2. Logging

The key concept behind WPf2b is logging Events to syslog. If WPf2b doesn’t log an Event, or logs it to the wrong place, fail2ban won’t work as it should. If in doubt go with the defaults - they should work for most systems, and once you understand how the pieces fit together you can revisit this.

4.2.1. Choosing the Events to Log

If you’re unfamiliar with fail2ban and syslog I recommend not enabling any extra logging to start with - skip ahead to configuring fail2ban. WPf2b automatically handles the most important things with sensible defaults that should work for most systems.

4.2.2. Advanced Users

4.2.2.1. Events

Over the years WPf2b has accumulated a lot of logging ability (and there’re even more on the way):

Event

Reference

Auth OK

WP_FAIL2BAN_AUTH_LOG

Auth Fail

Blocked User

WP_FAIL2BAN_BLOCKED_USERS

Blocked User Enumeration

WP_FAIL2BAN_BLOCK_USER_ENUMERATION

Blocked Username Login

WP_FAIL2BAN_BLOCK_USERNAME_LOGIN

Comment

WP_FAIL2BAN_LOG_COMMENTS

Comment: Spam

WP_FAIL2BAN_LOG_SPAM

Attempted Comment: Post not found

WP_FAIL2BAN_LOG_COMMENTS_EXTRA

Attempted Comment: Closed post

WP_FAIL2BAN_LOG_COMMENTS_EXTRA

Attempted Comment: Trash post

WP_FAIL2BAN_LOG_COMMENTS_EXTRA

Attempted Comment: Draft post

WP_FAIL2BAN_LOG_COMMENTS_EXTRA

Attempted Comment: Password-protected post

WP_FAIL2BAN_LOG_COMMENTS_EXTRA

Pingback

WP_FAIL2BAN_LOG_PINGBACKS

Pingback error

WP_FAIL2BAN_PINGBACK_ERROR_LOG

You should consider enabling Comment: Spam and Attempted Comment: Closed post, and, if you don’t use WordPress’s commenting system at all, you should enable all the Attempted Comment Events.

4.2.2.2. Facilities

By default, WPf2b uses the following syslog Facilities and Levels:

What

Default

Level

Auth OK

LOG_AUTH

INFO

Auth Fail

NOTICE

Blocked User

Blocked User Enum

Comment

LOG_USER

INFO

Comment: Spam

LOG_AUTH

NOTICE

Comment: Post not found

Comment: Closed post

Comment: Trash post

Comment: Draft post

Comment: Password-protected post

Pingback

LOG_USER

INFO

Pingback error

LOG_AUTH

NOTICE

Unfortunately, there is no way of knowing a priori which Facility goes where. There is a table of default locations of Logfile Reference for various OSs; if you’re running something not listed there and you know where the various Facilities go, please either submit a PR on GitHub, or let me know in the forum.