Solution #1: inotify vs gamin
If you don’t have it installed already, get python-inotify installed. Fail2ban should then automatically start using that library rather than gamin for log file updates. This is very helpful when it comes to servers with *many* log files. Details on how this is done here.
If that doesn’t cut it, try solution #2.
Solution #2: Add tail
By default fail2ban reads logs through from the head (top) of the log file all the way to the end. This is good to ensure maximal security, however it also presents disk I/O problems when working with very large log files — particularly on start-up.
To resolve this, fail2ban has a little known configuration option to tell it to tail the logs rather than read through each of the large files from the head. Unfortunately this must be applied on a per-jail basis.
Edit /etc/fail2ban/jail.conf and look for each entry of “logpath”. Immediately after the path, add a space character followed by: tail
logpath = /var/log/secure tail
If you’re running Plesk with Fail2ban, be sure to also do the same to each jail in /etc/fail2ban/jail.d/plesk.conf Unfortunately these files will likely be overwritten, so long-term it would be best to copy the whole logpath config over to /etc/fail2ban/jail.local. Unfortunately this is a somewhat involved process that we’ll get to at a later date.
Now restart fail2ban: service fail2ban restart