Ellis monitors journald for specific entries and triggers actions based on them.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.



Ellis monitors systemd-journald logs for specific entries and triggers actions based on them.

Ellis can obviously be used as an Intrusion Prevention System (IPS) but can also be used in a more general way to run a Python script whenever a pattern appears in the logs.


I started Ellis as a pet project with two ideas in mind:

  • I wanted to build something based on Python's asyncio framework because it looked very interesting and powerful - I needed to learn more about it ! ;
  • I also wanted to be warned whenever someone would successfully log on my PC through SSH.

And then I realized that the combination of these two ideas would make a perfect candidate ! It then evolved into something more generic that looks a lot like the well-known fail2ban.

Ellis specifically focuses on systemd-journald. It's written in Python and uses the asyncio framework for better performance (well, I hope so).


  • Monitors systemd-journald logs for given patterns ;
  • Executes given commands when a pattern has been detected more than N times ;
  • Uses ipset or nftables to block traffic from malicious hosts ;
  • Can send e-mails to warn you about something ;
  • Handles multiple services (or systemd-units) ;
  • Single, simple config file.

Installing and configuring

Please read the Wiki.

Contributing / Helping

Code reviews, patches, comments, bug reports and feature requests are welcome. Please read the Contributing guide for further details.