---
title: ''
description: Telegraf plugin for collecting metrics from Fail2ban
url: https://docs.influxdata.com/telegraf/v1/input-plugins/fail2ban/
estimated_tokens: 622
product: Telegraf Controller
version: v1
publisher: InfluxData
canonical: https://docs.influxdata.com/telegraf/v1/input-plugins/fail2ban/
date: '2026-05-21T20:10:18+02:00'
lastmod: '2026-05-21T20:10:18+02:00'
---

==========

* Telegraf v1.4.0+

[Plugin source](https://github.com/influxdata/telegraf/tree/v1.39.0/plugins/inputs/fail2ban/)[Download configuration](https://raw.githubusercontent.com/influxdata/telegraf/refs/tags/v1.39.0/plugins/inputs/fail2ban/sample.conf)

# Fail2ban Input Plugin

This plugin gathers the count of failed and banned IP addresses using[fail2ban](https://www.fail2ban.org) by running the `fail2ban-client` command.

> [!Note]
> The `fail2ban-client` requires root access, so please make sure to either
> allow Telegraf to run that command using `sudo` without a password or by
> running telegraf as root (not recommended).

**Introduced in:** Telegraf v1.4.0**Tags:** network, system**OS support:** all

## Global configuration options

Plugins support additional global and plugin configuration settings for tasks
such as modifying metrics, tags, and fields, creating aliases, and configuring
plugin ordering. See [CONFIGURATION.md](/telegraf/v1/configuration/#plugins) for more details.

## Configuration

```toml
# Read metrics from fail2ban.
[[inputs.fail2ban]]
  ## Use sudo to run fail2ban-client
  # use_sudo = false

  ## Use the given socket instead of the default one
  # socket = "/var/run/fail2ban/fail2ban.sock"
```

## Using sudo

Make sure to set `use_sudo = true` in your configuration file.

You will also need to update your sudoers file. It is recommended to modify a
file in the `/etc/sudoers.d` directory using `visudo`:

```bash
sudo visudo -f /etc/sudoers.d/telegraf
```

Add the following lines to the file, these commands allow the `telegraf` user
to call `fail2ban-client` without needing to provide a password and disables
logging of the call in the auth.log. Consult `man 8 visudo` and `man 5 sudoers` for details.

```text
Cmnd_Alias FAIL2BAN = /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status *
telegraf  ALL=(root) NOEXEC: NOPASSWD: FAIL2BAN
Defaults!FAIL2BAN !logfile, !syslog, !pam_session
```

## Metrics

* fail2ban
  * tags:
    * jail

  * fields:
    * failed (integer, count)
    * banned (integer, count)

## Example Output

```text
fail2ban,jail=sshd failed=5i,banned=2i 1495868667000000000
```

### Execute the binary directly

```shell
# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 5
|  |- Total failed:     20
|  `- File list:        /var/log/secure
`- Actions
   |- Currently banned: 2
   |- Total banned:     10
   `- Banned IP list:   192.168.0.1 192.168.0.2
```