diff --git a/spec/examples/fail2ban.rb b/spec/examples/fail2ban.rb
new file mode 100644
index 000000000..eb811465a
--- /dev/null
+++ b/spec/examples/fail2ban.rb
@@ -0,0 +1,28 @@
+require "test_utils"
+
+describe "fail2ban logs" do
+  extend LogStash::RSpec
+
+  # The logstash config goes here.
+  # At this time, only filters are supported.
+  config <<-CONFIG
+    filter {
+      grok {
+        pattern => "^%{TIMESTAMP_ISO8601:timestamp} fail2ban\.actions: %{WORD:level} \\[%{WORD:program}\\] %{WORD:action} %{IP:ip}"
+        singles => true
+      }
+      date {
+        match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
+      }
+      mutate {
+        remove => timestamp
+      }
+    }
+  CONFIG
+
+  sample "2013-06-28 15:10:59,891 fail2ban.actions: WARNING [ssh] Ban 95.78.163.5" do
+    insist { subject["program"] } == "ssh"
+    insist { subject["action"] } == "Ban"
+    insist { subject["ip"] } == "95.78.163.5"
+  end
+end