[Feature] Easily accessible log file for fail2ban

[DrD4ffy]

I have searched the existing feature requests, both open and closed, to make sure this is not a duplicate request.

• Yes

The feature

Short
Immich should write a log file to the host system outside the Docker container to improve accessibility. This would considerably simplify the installation of fail2ban.

Long
I tried to setup fail2ban for my immich instance on a Synology NAS. Once I successfully setup fail2ban for Vaultwarden I thought this couln't be so hard, another logfile, another filter expression ...

But the issue is the log file.

While Vaultwardens log file is accessible on the host system and can be mapped to the fail2ban container for scanning, this is not possible with Immich. I had a look at the community guide about fail2ban, but this is not so much a guide, but more of a riddle where you have to put a lot of parts together: journald or syslog? And where exactly are my logs redirected to? /var/log/messages? /var/log/syslog? And even then you can't be sure that it applies to your setup.

All these problems and ambiguities are solved if the log file is accessible outside the container on the host system, as is the case with Vaultwarden. Without special toosl or OS knowledge you know where it is, you can see it, you can check it and you can make it accessible to fail2ban.

Platform

• Server
• Web
• Mobile

[danieldietzler]

By writing to stdout we let docker do the log handling, which offers much more flexibility. For an overview of which drivers you can use with docker out of the box, check out https://docs.docker.com/engine/logging/configure/#supported-logging-drivers :)

[DrD4ffy]

Probably it's my lack of experience with linux, but the issue with all the Docker logging drivers is that I end up in OS places I am not supposed to mess with. Redirecting to syslog will probably log in /var/log/syslog.log. On a Synoloogy NAS (I could imagine the same problem on other NAS) this is hidden from the user. I can ssh into my NAS, navigate to this path and see that there is such a file, but open it and look inside is the next problem. I tried to mount this file to the fail2ban container and check this file for failed logins. I don't get any error message, fail2ban is running, but no failed logins are found. Why? I don't know.
Has anyone in your team experience with Synology NAS and can give advise on how fail2ban can actually work on a Synology NAS? As said, the patchwork in the community guide was not helpful.

[danieldietzler]

I personally don't. I'd recommend joining our discord though (https://discord.immich.app), I think you'll have the highest chances of success asking there :)