2018-02-11 13:17:48 +01:00
{
"actions" : {
"Filter-out uninteresting services’ entries" : [
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 4 }
} ,
{
"filter" : "filter_in" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "SYSLOG_IDENTIFIER" , "values" : [ "exportfs" , "gitea" , "haproxy" , "kill" , "ldapsearch" , "ldapwhoami" , "mandb" , "mount.davfs" , "movim" , "msmtp" , "postgres" , "prosody_auth" , "sa-compile" , "systemd-fsck" , "systemd-gpt-auto-generator" , "systemd-logind" ] } ,
2018-02-11 13:17:48 +01:00
"then" : "… NOOP"
}
] ,
"Filter-out uninteresting generic services’ entries" : [
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 4 }
} ,
{
"filter" : "filter_pcreAny" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "SYSLOG_IDENTIFIER" , "re" : [ "^ansible-" ] } ,
2018-02-11 13:17:48 +01:00
"then" : "… NOOP"
}
] ,
"Detect request errors with Nextcloud" : [
{
"filter" : "filter_equals" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "uwsgi" }
2018-02-11 13:17:48 +01:00
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^\\[[^]]+\\] ([^ ]+) .*\\] ([A-Z]+ /[^?]*)(?:\\?.*)? => .*\\(HTTP/1.1 5..\\)" , "save" : [ "thatIP" , "HTTPrequest" ] } ,
"else" : "… Report insufficient buffer-size for Nextcloud QUERY_STRING"
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "IP {thatIP} failed to {HTTPrequest} on Nextcloud" , "details" : "FIRSTLAST" }
2018-02-11 13:17:48 +01:00
}
] ,
"… Report insufficient buffer-size for Nextcloud QUERY_STRING" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "MESSAGE" , "value" : "not enough buffer space to add QUERY_STRING variable, consider increasing it with the --buffer-size option" } ,
"else" : "… NOOP if PRIORITY 5+"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "Nextcloud query failed because the buffer-size was too low" }
}
] ,
2018-03-17 17:46:22 +01:00
"Detect successful XMPP logins" : [
2018-02-11 13:17:48 +01:00
{
2018-03-17 17:46:22 +01:00
"filter" : "filter_equals" ,
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "prosody" }
2018-02-11 13:17:48 +01:00
} ,
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "Authenticated as (.*)$" , "save" : [ "JID" ] } ,
"else" : "… Notify of unsecured XMPP servers"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Login as {JID} by XMPP" , "details" : "NONE" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"… Notify of unsecured XMPP servers" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "->(.*) closed: Encrypted server-to-server communication is required but was not offered$" , "save" : [ "xmppServer" ] } ,
"else" : "… NOOP if PRIORITY 3+"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "XMPP server {xmppServer} did not provide a secure connection" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"Notify of unexpected HTTP disconnections" : [
2018-02-11 13:17:48 +01:00
{
2018-03-17 17:46:22 +01:00
"filter" : "filter_equals" ,
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "nginx" }
2018-02-11 13:17:48 +01:00
} ,
{
2018-03-17 17:46:22 +01:00
"filter" : "filter_pcreAny" ,
"args" : { "field" : "MESSAGE" , "re" : [
"epoll_wait\\(\\) reported that client prematurely closed connection, so upstream connection is closed too while sending request to upstream, client: (?P<thatIP>[^,]+), server: , request: \"[^ ]+ (?P<urlPrefix>/[^/ \"]*)[^\"]*\"" ,
"client prematurely closed connection while sending to client, client: (?P<thatIP>[^,u][^,]+), server: , request: \"[^ ]+ (?P<urlPrefix>/[^/ \"]*)[^\"]*\""
] } ,
"else" : "… Warn of CONNECT attempts"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Aborted connection from {thatIP} to {urlPrefix}" , "details" : "FIRSTLAST" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"… Warn of CONNECT attempts" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : ", request: \"CONNECT [^ ]+ HTTP/[^\"]+\"$" } ,
"else" : "… Discard other HTTP debug entries"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Nginx detected a CONNECT attempt on {_HOSTNAME}" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"… Discard other HTTP debug entries" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 6 } ,
"then" : "… NOOP" ,
"else" : "… Detect successful HTTPS logins"
}
] ,
"… Detect successful HTTPS logins" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^.{19} \\[notice\\] [0-9]*#[0-9]*: \\*[0-9]* \\[lua\\] .* authenticate\\(\\): Connected as: ([^,]*), client: ([^,]*)," , "save" : [ "thatUser" , "thatIP" ] } ,
"else" : "… Detect failed HTTPS logins"
} ,
{
"action" : "action_counterReset" ,
"args" : { "counter" : "https" , "for" : "thatIP" , "graceSeconds" : 432000 }
} ,
2018-03-17 17:46:22 +01:00
{
"action" : "action_counterReset" ,
"args" : { "counter" : "https_recidive" , "for" : "thatIP" }
} ,
2018-02-11 13:17:48 +01:00
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Login from {thatIP} as {thatUser}@{_HOSTNAME} by HTTPS" , "details" : "NONE" }
2018-02-11 13:17:48 +01:00
}
] ,
"… Detect failed HTTPS logins" : [
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "Redirect to: https://[^/]*/sso/\\?r=(.*), client: (?P<thatIP>.*), server: , request: \"POST /sso/\\?r=\\1 HTTP/1\\.1\", host: \"[^/]*\", referrer: \"https://[^/]*/sso/\\?r=\\1\"$" } ,
2018-02-11 13:17:48 +01:00
"else" : "… Detect abnormal HTTP 404 errors"
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Failed login from {thatIP} on {_HOSTNAME} by HTTPS" , "details" : "FIRSTLAST" } ,
"then" : "… Check network before an HTTPS ban"
2018-02-11 13:17:48 +01:00
}
] ,
"… Detect abnormal HTTP 404 errors" : [
{
"filter" : "filter_pcreAny" ,
"args" : { "field" : "MESSAGE" , "re" : [
"open\\(\\) \"[^\"]*\\.(?:cgi|php|pl|py|sh)\" failed \\(2: No such file or directory\\), client: (?P<thatIP>[^,]+)," ,
"Unable to open primary script: .*\\.(?:cgi|php|pl|py|sh) \\(No such file or directory[^,]+, client: (?P<thatIP>[^,]+),"
] } ,
2018-03-17 17:46:22 +01:00
"then" : "… Check network before an HTTPS ban" ,
2018-02-11 13:17:48 +01:00
"else" : "… Immediate warning for connectivity errors"
}
] ,
2018-03-17 17:46:22 +01:00
"… Check network before an HTTPS ban" : [
2018-02-24 21:16:22 +01:00
{
2018-03-17 17:46:22 +01:00
"filter" : "filter_inNetworks" ,
"args" : { "field" : "thatIP" , "nets" : [ "192.168.1.96/29" , "127.0.0.0/8" , "::1" ] } ,
2018-02-24 21:16:22 +01:00
"then" : "… NOOP" ,
"else" : "… Detect repeated HTTPS failures"
}
] ,
2018-02-11 13:17:48 +01:00
"… Detect repeated HTTPS failures" : [
{
"action" : "action_counterRaise" ,
"args" : { "counter" : "https" , "for" : "thatIP" , "keepSeconds" : 900 , "save" : "IPfailures" }
} ,
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "IPfailures" , "value" : 6 } ,
"else" : "… NOOP"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Ban of IP {thatIP} for HTTP abuse" }
} ,
2018-03-17 17:46:22 +01:00
{
"action" : "action_log" ,
"args" : { "message" : "nftBan from HTTP for {thatIP}" }
} ,
2018-02-11 13:17:48 +01:00
{
"action" : "action_nftBan" ,
2018-03-12 18:18:28 +01:00
"args" : { "IP" : "thatIP" , "banSeconds" : 7200 , "nftSetIPv4" : "ip Inet4 https_ban" , "nftSetIPv6" : "ip6 Inet6 https_ban" }
2018-02-11 13:17:48 +01:00
}
] ,
"… Immediate warning for connectivity errors" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^.{19} \\[crit\\] [0-9]*#[0-9]*: \\*[0-9]* connect\\(\\) to ([^ ]*) failed" , "save" : [ "nginxUpstream" ] } ,
"else" : "… Immediate warning for module version errors"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "Nginx connectivity error" , "message" : "Nginx could not connect to {nginxUpstream} on {__REALTIME_TIMESTAMP}." }
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Nginx could not connect to {nginxUpstream}" , "details" : "FIRSTLAST" }
2018-02-11 13:17:48 +01:00
}
] ,
"… Immediate warning for module version errors" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "module \"([^\"]+)\" version [0-9]+ instead of [0-9]+ in /.*$" , "save" : [ "badModule" ] } ,
"else" : "… Immediate warning for LUA errors"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "Bad Nginx module version" , "message" : "Nginx could not load a module on {_HOSTNAME}:\n{MESSAGE}." }
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Nginx could not load module {badModule}" , "details" : "FIRSTLAST" }
2018-02-11 13:17:48 +01:00
}
] ,
"… Immediate warning for LUA errors" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "runtime error: ([^ ]+): (.*)$" , "save" : [ "luaFile" , "luaError" ] } ,
"else" : "… Warn of upstream HTTP disconnections"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "Lua error in Nginx" , "message" : "Lua error at {luaFile}:\n{MESSAGE}." }
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Nginx file {luaFile} ran into error: {luaError}" , "details" : "FIRSTLAST" }
2018-02-11 13:17:48 +01:00
}
] ,
"… Warn of upstream HTTP disconnections" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "(?:upstream prematurely closed connection|Connection reset by peer\\)) while reading response header from upstream.*, request: \"([^?\"]+)[^\"]*\", upstream: \"([^\"]+)\"" , "save" : [ "failedRequest" , "failedUpstream" ] } ,
"else" : "… NOOP if PRIORITY 3+"
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "WARN" , "message" : "Nginx got disconnected from {failedUpstream} on request {failedRequest}" , "details" : "FIRSTLAST" }
2018-02-11 13:17:48 +01:00
}
] ,
"Detect successful IMAP logins" : [
{
"filter" : "filter_equals" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "dovecot" }
2018-02-11 13:17:48 +01:00
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^imap-login: Login: user=<([^>]+)>, method=[^,]*, rip=([^,]+)," , "save" : [ "thatUser" , "thatIP" ] } ,
"else" : "… Detect IMAP resource hogs"
} ,
{
"action" : "action_counterReset" ,
"args" : { "counter" : "mail" , "for" : "thatIP" , "graceSeconds" : 432000 }
} ,
2018-03-17 17:46:22 +01:00
{
"action" : "action_counterReset" ,
"args" : { "counter" : "mail_recidive" , "for" : "thatIP" }
} ,
2018-02-11 13:17:48 +01:00
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Login from {thatIP} as {thatUser}@{_HOSTNAME} by IMAP" , "details" : "NONE" }
2018-02-11 13:17:48 +01:00
}
] ,
"… Detect IMAP resource hogs" : [
{
"filter" : "filter_pcreAny" ,
"args" : { "field" : "MESSAGE" , "re" : [
"^imap-login: Disconnected \\(no auth attempts in [0-9]{2,} secs\\): user=<>, rip=(?P<thatIP>[^,]+)," ,
"^imap-login: Disconnected: Too many invalid commands.*, rip=(?P<thatIP>[^,]+),"
] } ,
2018-03-17 17:46:22 +01:00
"then" : "… Check network before an email ban" ,
2018-02-11 13:17:48 +01:00
"else" : "… Detect failed IMAP logins"
}
] ,
"… Detect failed IMAP logins" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^imap-login: Disconnected \\(auth failed, [0-9]+ attempts in [0-9]+ secs\\): user=<([^>]*)>.*, rip=([^,]+)," , "save" : [ "thatUser" , "thatIP" ] } ,
"else" : "… Discard Dovecot debug entries"
} ,
{
"filter" : "filter_userExists" ,
"args" : { "field" : "thatUser" } ,
"else" : "… Report inexisting IMAP user"
} ,
{
"action" : "action_email" ,
2018-03-17 17:46:22 +01:00
"args" : { "subject" : "Pyruse Warning" , "message" : "WARNING: Failed login from {thatIP} as {thatUser}@{_HOSTNAME} by IMAP on {__REALTIME_TIMESTAMP}." }
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "WARN" , "message" : "Failed login from {thatIP} as {thatUser}@{_HOSTNAME} by IMAP" , "details" : "FIRSTLAST" } ,
"then" : "… Check network before an email ban"
2018-02-11 13:17:48 +01:00
}
] ,
"… Report inexisting IMAP user" : [
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Failed login from {thatIP} as {thatUser}@{_HOSTNAME} by IMAP" , "details" : "FIRSTLAST" } ,
"then" : "… Check network before an email ban"
2018-02-24 21:16:22 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"… Check network before an email ban" : [
2018-02-24 21:16:22 +01:00
{
2018-03-17 17:46:22 +01:00
"filter" : "filter_inNetworks" ,
"args" : { "field" : "thatIP" , "nets" : [ "192.168.1.96/29" , "127.0.0.0/8" , "::1" ] } ,
2018-02-24 21:16:22 +01:00
"then" : "… NOOP" ,
"else" : "… Detect repeated mail failures"
2018-02-11 13:17:48 +01:00
}
] ,
"… Detect repeated mail failures" : [
{
"action" : "action_counterRaise" ,
"args" : { "counter" : "mail" , "for" : "thatIP" , "keepSeconds" : 86400 , "save" : "IPfailures" }
} ,
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "IPfailures" , "value" : 4 } ,
"else" : "… NOOP"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Ban of IP {thatIP} for mail abuse" }
} ,
2018-03-17 17:46:22 +01:00
{
"action" : "action_log" ,
"args" : { "message" : "nftBan from email for {thatIP}" }
} ,
2018-02-11 13:17:48 +01:00
{
"action" : "action_nftBan" ,
2018-03-12 18:18:28 +01:00
"args" : { "IP" : "thatIP" , "banSeconds" : 432000 , "nftSetIPv4" : "ip Inet4 mail_ban" , "nftSetIPv6" : "ip6 Inet6 mail_ban" }
2018-02-11 13:17:48 +01:00
}
] ,
"… Discard Dovecot debug entries" : [
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 4 } ,
"then" : "… NOOP" ,
"else" : "… Warn of Dovecot-to-LDAP errors"
}
] ,
"… Warn of Dovecot-to-LDAP errors" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^auth: Error: LDAP: Can't connect to server: ldapi:" } ,
"else" : "… NOOP"
} ,
{
"action" : "action_email" ,
2018-03-17 17:46:22 +01:00
"args" : { "subject" : "Dovecot-to-LDAP error" , "message" : "Dovecot could not connect to LDAP (ldapi) on {__REALTIME_TIMESTAMP}." }
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Dovecot could not connect to LDAP (ldapi)" , "details" : "FIRSTLAST" }
2018-02-11 13:17:48 +01:00
}
] ,
"Notify of Exim smarthost deliveries" : [
{
"filter" : "filter_equals" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "exim" }
2018-02-11 13:17:48 +01:00
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : " => [^ ]+ R=smarthost T=remote_smtp H=([^ ]+ \\[[^]]+\\]) C=\"250 " , "save" : [ "smarthost" ] } ,
2018-03-17 17:46:22 +01:00
"else" : "… Notify of Exim local deliveries"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Email message sent through {smarthost}" , "details" : "NONE" }
}
] ,
"… Notify of Exim local deliveries" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "> [^ ]+ Saved\"$" } ,
2018-02-11 13:17:48 +01:00
"else" : "… Frozen Exim email"
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Local email message delivered" , "details" : "NONE" }
2018-02-11 13:17:48 +01:00
}
] ,
"… Frozen Exim email" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "Message is frozen$" } ,
"else" : "… Warn of a failure for Exim"
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Frozen email on {_HOSTNAME}." , "details" : "FIRSTLAST" }
2018-02-11 13:17:48 +01:00
}
] ,
"… Warn of a failure for Exim" : [
{
"filter" : "filter_pcreAny" ,
"args" : { "field" : "MESSAGE" , "re" : [
"(?P<failReason>all spamd servers failed)$" ,
"(?P<failReason>Network is unreachable)$"
] } ,
"else" : "… Immediate ban of crackers"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "Exim detected a failure" , "message" : "Failure detected by Exim on {_HOSTNAME} on {__REALTIME_TIMESTAMP}:\n{MESSAGE}" }
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Exim detected a failure ({failReason})" , "details" : "FIRSTLAST" }
2018-02-11 13:17:48 +01:00
}
] ,
"… Immediate ban of crackers" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "\\[([^ ]+)\\] NULL character\\(s\\) present \\(shown as '\\?'\\)$" , "save" : [ "thatIP" ] } ,
2018-03-17 17:46:22 +01:00
"else" : "… Some leniency to allow for manual SMTP"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Ban of IP {thatIP} for mail abuse" }
} ,
2018-03-17 17:46:22 +01:00
{
"action" : "action_log" ,
"args" : { "message" : "nftBan from email for {thatIP}" }
} ,
2018-02-11 13:17:48 +01:00
{
"action" : "action_nftBan" ,
2018-03-12 18:18:28 +01:00
"args" : { "IP" : "thatIP" , "banSeconds" : 432000 , "nftSetIPv4" : "ip Inet4 mail_ban" , "nftSetIPv6" : "ip6 Inet6 mail_ban" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"… Some leniency to allow for manual SMTP" : [
{
"filter" : "filter_pcreAny" ,
"args" : { "field" : "MESSAGE" , "re" : [
"^.{19} SMTP syntax error in \"[^\"]*\" H=(?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]" ,
"SMTP command timeout on connection from (?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]$"
] } ,
"then" : "… Check network before an email ban" ,
"else" : "… Detect some SMTP spammers"
}
] ,
2018-02-11 13:17:48 +01:00
"… Detect some SMTP spammers" : [
{
"filter" : "filter_pcreAny" ,
"args" : { "field" : "MESSAGE" , "re" : [
"\\[(?P<thatIP>[^ ]+)\\] AUTH command used when not advertised$" ,
"H=(?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\] .* rejected after DATA: (?:maximum allowed line length is [0-9]+ octets, got [0-9]+|This message scored [0-9.]+ spam points\\.)$" ,
"^.{19} login_server authenticator failed for (?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]: 535 Incorrect authentication data" ,
"^.{19} H=(?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\] .* relay not permitted$" ,
"^.{19} SMTP protocol synchronization error.*: rejected .* H=(?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]" ,
"\\[(?P<thatIP>[^ ]+)\\] rejected EXPN root$" ,
"unqualified verify rejected: .* H=(?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]$" ,
"rejected because (?P<thatIP>[^ ]+) is in a black list at" ,
"^.{19} rejected [EH]{2}LO from (?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]: syntactically invalid" ,
"\\[(?P<thatIP>[^ ]+)\\] dropped: too many nonmail commands"
] } ,
2018-03-17 17:46:22 +01:00
"then" : "… Check network before an email ban" ,
2018-02-11 13:17:48 +01:00
"else" : "… NOOP if PRIORITY 5+"
}
] ,
"Notify of new custom systemd services" : [
{
"filter" : "filter_equals" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "systemd" }
2018-02-11 13:17:48 +01:00
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^Started (/.*)\\.$" , "save" : [ "customCmd" ] } ,
"else" : "… Warn of unclean mounts"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Custom systemd service started: {customCmd}" }
}
] ,
"… Warn of unclean mounts" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^Directory (/.*) to mount over is not empty, mounting anyway\\.$" , "save" : [ "mountPath" ] } ,
2018-03-17 17:46:22 +01:00
"else" : "… Notify of systemd-gpt-auto-generator errors"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "Device mounted on non-empty {mountPath}" }
}
] ,
2018-03-17 17:46:22 +01:00
"… Notify of systemd-gpt-auto-generator errors" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "MESSAGE" , "value" : "/usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with error code 1." } ,
"else" : "… Warn of time-outs"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "{MESSAGE}" , "details" : "NONE" }
}
] ,
2018-02-11 13:17:48 +01:00
"… Warn of time-outs" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^(/.*): Start operation timed out\\. Terminating\\.$" , "save" : [ "systemdUnit" ] } ,
2018-03-17 17:46:22 +01:00
"else" : "… Notify of user logins"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "WARN" , "message" : "Unit {systemdUnit}/{_HOSTNAME} timed out while starting" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"… Notify of user logins" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "^pam_unix\\(systemd-user:session\\): session opened for user (.*) by root\\(uid=0\\)$" , "save" : [ "thatUser" ] } ,
"else" : "… Warn of failed systemd units"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Login as {thatUser}@{_HOSTNAME} by systemd-user:session" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"… Warn of failed systemd units" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^(/.*\\.mount|.*\\.service): Failed " , "save" : [ "systemdUnit" ] } ,
"else" : "… Discard other systemd debug entries"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "Unit {systemdUnit}/{_HOSTNAME} failed" }
}
] ,
"… Discard other systemd debug entries" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 4 } ,
"then" : "… NOOP" ,
"else" : "… Notify of systemd failed states"
}
] ,
"… Notify of systemd failed states" : [
{
"action" : "action_email" ,
"args" : { "subject" : "systemd failure" , "message" : "On {_HOSTNAME} on {__REALTIME_TIMESTAMP}:\n{MESSAGE}" }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "{MESSAGE}" }
}
] ,
2018-03-17 17:46:22 +01:00
"Warn of su errors" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_equals" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "su" }
2018-02-11 13:17:48 +01:00
} ,
{
2018-03-17 17:46:22 +01:00
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^FAILED SU \\([^)]+\\) (.*) on [^ ]+$" , "save" : [ "thatUser" ] } ,
"else" : "… Notify of su logins"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_email" ,
2018-03-17 17:46:22 +01:00
"args" : { "subject" : "SU error!" , "message" : "SU error from user {thatUser} on {_HOSTNAME} on {__REALTIME_TIMESTAMP}." }
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "SU error from user {thatUser} on {_HOSTNAME}" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"… Notify of su logins" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "^\\(to (.*)\\) (.*) on [^ ]+$" , "save" : [ "thatUser" , "fromUser" ] } ,
"else" : "… NOOP if PRIORITY 5+"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Login as {thatUser}@{_HOSTNAME} by {fromUser}:su" , "details" : "NONE" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"Discard Nextcloud coding errors" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_equals" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "ownCloud" }
2018-02-11 13:17:48 +01:00
} ,
{
2018-03-17 17:46:22 +01:00
"filter" : "filter_in" ,
"args" : { "field" : "PRIORITY" , "values" : [ 2 , 3 ] } ,
"then" : "… NOOP" ,
"else" : "… Discard Nextcloud-to-LDAP bind errors"
}
] ,
"… Discard Nextcloud-to-LDAP bind errors" : [
2018-02-11 13:17:48 +01:00
{
2018-03-17 17:46:22 +01:00
"filter" : "filter_equals" ,
"args" : { "field" : "MESSAGE" , "value" : "{user_ldap} Bind failed: 49: Invalid credentials" } ,
"then" : "… NOOP" ,
"else" : "… Notify of Nextcloud upgrades"
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"… Notify of Nextcloud upgrades" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "^\\{core\\} starting upgrade from (.*) to (.*)$" , "save" : [ "fromVers" , "toVers" ] } ,
"else" : "… Detect Nextcloud failed logins"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Nextcloud upgrade from {fromVers} to {toVers}" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"… Detect Nextcloud failed logins" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "^\\{core\\} Login failed: '(.*)' \\(Remote IP: '(.*)'\\)" , "save" : [ "thatUser" , "thatIP" ] } ,
"else" : "… Let Nextcloud core messages pass-through"
} ,
{
"filter" : "filter_userExists" ,
"args" : { "field" : "thatUser" } ,
"else" : "… Report inexisting Nextcloud user"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "Pyruse Warning" , "message" : "WARNING: Failed login from {thatIP} as {thatUser}@{_HOSTNAME} on Nextcloud on {__REALTIME_TIMESTAMP}." }
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "WARN" , "message" : "Failed login from {thatIP} as {thatUser}@{_HOSTNAME} on Nextcloud" , "details" : "FIRSTLAST" } ,
"then" : "… Check network before a Nextcloud ban"
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"… Report inexisting Nextcloud user" : [
2018-02-11 13:17:48 +01:00
{
2018-03-17 17:46:22 +01:00
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Failed login from {thatIP} as {thatUser}@{_HOSTNAME} on Nextcloud" , "details" : "FIRSTLAST" } ,
"then" : "… Check network before a Nextcloud ban"
}
] ,
"… Check network before a Nextcloud ban" : [
{
"filter" : "filter_inNetworks" ,
"args" : { "field" : "thatIP" , "nets" : [ "192.168.1.96/29" , "127.0.0.0/8" , "::1" ] } ,
"then" : "… NOOP" ,
"else" : "… Detect repeated Nextcloud login failures"
}
] ,
"… Detect repeated Nextcloud login failures" : [
{
"action" : "action_counterRaise" ,
"args" : { "counter" : "https" , "for" : "thatIP" , "keepSeconds" : 300 , "save" : "IPfailures" }
2018-02-11 13:17:48 +01:00
} ,
{
2018-03-17 17:46:22 +01:00
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "IPfailures" , "value" : 6 } ,
2018-02-11 13:17:48 +01:00
"else" : "… NOOP"
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Ban of IP {thatIP} for HTTP abuse" }
} ,
{
"action" : "action_log" ,
"args" : { "message" : "nftBan from HTTP for {thatIP}" }
} ,
{
"action" : "action_nftBan" ,
"args" : { "IP" : "thatIP" , "banSeconds" : 900 , "nftSetIPv4" : "ip Inet4 https_ban" , "nftSetIPv6" : "ip6 Inet6 https_ban" }
}
] ,
"… Let Nextcloud core messages pass-through" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^\\{" } ,
"else" : "… NOOP if PRIORITY 5+"
2018-02-11 13:17:48 +01:00
}
] ,
"Warn of bad SSH configuration" : [
{
"filter" : "filter_equals" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "sshd" }
2018-02-11 13:17:48 +01:00
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^/etc/ssh/sshd_config line " } ,
"else" : "… Detect successful SSH logins"
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "WARN" , "message" : "SSH: {MESSAGE}" , "details" : "FIRSTLAST" }
2018-02-11 13:17:48 +01:00
}
] ,
"… Detect successful SSH logins" : [
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "^Accepted (password|publickey) for (.*) from ([^ ]*) port " , "save" : [ "SSHmethod" , "thatUser" , "thatIP" ] } ,
2018-02-11 13:17:48 +01:00
"else" : "… Detect failed SSH logins"
} ,
{
"action" : "action_counterReset" ,
"args" : { "counter" : "sshd" , "for" : "thatIP" , "graceSeconds" : 432000 }
} ,
2018-03-17 17:46:22 +01:00
{
"action" : "action_counterReset" ,
"args" : { "counter" : "sshd_recidive" , "for" : "thatIP" }
} ,
2018-02-11 13:17:48 +01:00
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Login from {thatIP} as {thatUser}@{_HOSTNAME} by SSH {SSHmethod}" }
2018-02-11 13:17:48 +01:00
}
] ,
"… Detect failed SSH logins" : [
{
"filter" : "filter_pcreAny" ,
"args" : { "field" : "MESSAGE" , "re" : [
2018-02-24 21:16:22 +01:00
"^Failed password for (?P<thatUser>.*) from (?P<thatIP>[^ ]*) port" ,
"^Invalid user (?P<thatUser>.*) from (?P<thatIP>[^ ]*) port" ,
"^User (?P<thatUser>.*) from (?P<thatIP>[^ ]*) not allowed because not listed in AllowUsers$"
2018-02-11 13:17:48 +01:00
] } ,
"else" : "… Forbid antiquated clients"
} ,
{
"filter" : "filter_userExists" ,
"args" : { "field" : "thatUser" } ,
"else" : "… Report inexisting SSH user"
} ,
{
"action" : "action_email" ,
2018-03-17 17:46:22 +01:00
"args" : { "subject" : "Pyruse Warning" , "message" : "WARNING: Failed login from {thatIP} as {thatUser}@{_HOSTNAME} by SSH on {__REALTIME_TIMESTAMP}." }
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "WARN" , "message" : "Failed login from {thatIP} as {thatUser}@{_HOSTNAME} by SSH" , "details" : "FIRSTLAST" } ,
"then" : "… Check network before an SSH ban"
2018-02-11 13:17:48 +01:00
}
] ,
"… Report inexisting SSH user" : [
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Failed login from {thatIP} as {thatUser}@{_HOSTNAME} by SSH" , "details" : "FIRSTLAST" } ,
"then" : "… Check network before an SSH ban"
2018-02-11 13:17:48 +01:00
}
] ,
"… Forbid antiquated clients" : [
{
"filter" : "filter_pcre" ,
2018-02-24 21:16:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "^Unable to negotiate with ([^ ]*) port" , "save" : [ "thatIP" ] } ,
2018-03-17 17:46:22 +01:00
"then" : "… Check network before an SSH ban" ,
2018-02-11 13:17:48 +01:00
"else" : "… NOOP if PRIORITY 6+"
}
] ,
2018-03-17 17:46:22 +01:00
"… Check network before an SSH ban" : [
2018-02-24 21:16:22 +01:00
{
2018-03-17 17:46:22 +01:00
"filter" : "filter_inNetworks" ,
"args" : { "field" : "thatIP" , "nets" : [ "192.168.1.96/29" , "127.0.0.0/8" , "::1" ] } ,
2018-02-24 21:16:22 +01:00
"then" : "… NOOP" ,
"else" : "… Detect repeated SSH login failures"
}
] ,
2018-02-11 13:17:48 +01:00
"… Detect repeated SSH login failures" : [
{
"action" : "action_counterRaise" ,
"args" : { "counter" : "sshd" , "for" : "thatIP" , "keepSeconds" : 86400 , "save" : "IPfailures" }
} ,
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "IPfailures" , "value" : 4 } ,
"else" : "… NOOP"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Ban of IP {thatIP} for SSH abuse" }
} ,
2018-03-17 17:46:22 +01:00
{
"action" : "action_log" ,
"args" : { "message" : "nftBan from SSH for {thatIP}" }
} ,
2018-02-11 13:17:48 +01:00
{
"action" : "action_nftBan" ,
2018-03-12 18:18:28 +01:00
"args" : { "IP" : "thatIP" , "banSeconds" : 432000 , "nftSetIPv4" : "ip Inet4 sshd_ban" , "nftSetIPv6" : "ip6 Inet6 sshd_ban" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"Notify of identified SPAM messages" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_equals" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "spamd" }
2018-02-11 13:17:48 +01:00
} ,
{
2018-03-17 17:46:22 +01:00
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^spamd: identified spam" } ,
2018-02-11 13:17:48 +01:00
"else" : "… NOOP if PRIORITY 4+"
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Spam identified" , "details" : "NONE" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"Manage recidives for Pyruse bans from HTTPS" : [
2018-02-11 13:17:48 +01:00
{
2018-03-17 17:46:22 +01:00
"filter" : "filter_in" ,
"args" : { "field" : "SYSLOG_IDENTIFIER" , "values" : [ "python" , "pyruse" ] }
2018-02-11 13:17:48 +01:00
} ,
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "^nftBan from HTTP for (?P<thatIP>.*)$" } ,
"else" : "… Manage recidives for Pyruse bans from email"
} ,
{
"action" : "action_counterRaise" ,
"args" : { "counter" : "https_recidive" , "for" : "thatIP" , "keepSeconds" : 432000 , "save" : "IPfailures" }
} ,
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "IPfailures" , "value" : 7 } ,
"else" : "… NOOP"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Ban of IP {thatIP} for repeated HTTP abuse" }
} ,
{
"action" : "action_log" ,
"args" : { "message" : "Strong nftBan from HTTP for {thatIP}" , "level" : "WARNING" }
} ,
{
"action" : "action_nftBan" ,
"args" : { "IP" : "thatIP" , "banSeconds" : 2592000 , "nftSetIPv4" : "ip Inet4 https_ban" , "nftSetIPv6" : "ip6 Inet6 https_ban" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"… Manage recidives for Pyruse bans from email" : [
2018-02-11 13:17:48 +01:00
{
2018-03-17 17:46:22 +01:00
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^nftBan from email for (?P<thatIP>.*)$" } ,
"else" : "… Manage recidives for Pyruse bans from SSH"
2018-02-11 13:17:48 +01:00
} ,
2018-03-17 17:46:22 +01:00
{
"action" : "action_counterRaise" ,
"args" : { "counter" : "mail_recidive" , "for" : "thatIP" , "keepSeconds" : 2592000 , "save" : "IPfailures" }
} ,
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "IPfailures" , "value" : 7 } ,
"else" : "… NOOP"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Ban of IP {thatIP} for repeated mail abuse" }
} ,
{
"action" : "action_log" ,
"args" : { "message" : "Strong nftBan from email for {thatIP}" , "level" : "WARNING" }
} ,
{
"action" : "action_nftBan" ,
"args" : { "IP" : "thatIP" , "banSeconds" : 2592000 , "nftSetIPv4" : "ip Inet4 mail_ban" , "nftSetIPv6" : "ip6 Inet6 mail_ban" }
}
] ,
"… Manage recidives for Pyruse bans from SSH" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "^nftBan from SSH for (?P<thatIP>.*)$" }
} ,
{
"action" : "action_counterRaise" ,
"args" : { "counter" : "sshd_recidive" , "for" : "thatIP" , "keepSeconds" : 2592000 , "save" : "IPfailures" }
} ,
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "IPfailures" , "value" : 2 } ,
"else" : "… NOOP"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Ban of IP {thatIP} for repeated SSH abuse" }
} ,
{
"action" : "action_log" ,
"args" : { "message" : "Strong nftBan from SSH for {thatIP}" , "level" : "WARNING" }
} ,
{
"action" : "action_nftBan" ,
"args" : { "IP" : "thatIP" , "banSeconds" : 2592000 , "nftSetIPv4" : "ip Inet4 sshd_ban" , "nftSetIPv6" : "ip6 Inet6 sshd_ban" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"Notify of NFS access by clients" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_equals" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "rpc.mountd" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^authenticated mount request from (.*):[0-9]+ for (.*) \\(.*\\)$" , "save" : [ "nfsClient" , "nfsPath" ] } ,
"else" : "… NOOP if PRIORITY 5+"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "NFS access from {nfsClient} to {nfsPath}" , "details" : "NONE" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"Warn of minidlna errors while reading media files" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_equals" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "minidlnad" }
2018-02-11 13:17:48 +01:00
} ,
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "^metadata\\.c:.*Opening (.*) failed! \\[" , "save" : [ "fileName" ] } ,
"else" : "… Notify of unhandled formats"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "WARN" , "message" : "Minidlna error for {fileName}" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"… Notify of unhandled formats" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "^metadata\\.c:[0-9]+: warn: (.*): Unhandled format: (.*)$" , "save" : [ "fileName" , "mediaFormat" ] } ,
"else" : "… Warn of permission errors for minidlna"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "Minidlna does not handle {mediaFormat} for {fileName}" , "details" : "NONE" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"… Warn of permission errors for minidlna" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "^monitor\\.c:[0-9]+: error: inotify_add_watch\\((.*)\\) \\[Permission non accordée\\]$" , "save" : [ "fileName" ] } ,
"else" : "… NOOP if PRIORITY 4+"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "WARN" , "message" : "Minidlna is not allowed to read {fileName}" , "details" : "FIRSTLAST" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"Warn of sudo errors" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "sudo" }
} ,
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "^ (.*) : user NOT in sudoers ;" , "save" : [ "thatUser" ] } ,
"else" : "… Notify of sudo logins"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "SUDO error!" , "message" : "Sudo error from user {thatUser} on {_HOSTNAME} on {__REALTIME_TIMESTAMP}." }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Sudo error from user {thatUser} on {_HOSTNAME}" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"… Notify of sudo logins" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "^pam_unix\\(sudo:session\\): session opened for user (.*) by [^(]*\\(uid=([^)]+)\\)$" , "save" : [ "thatUser" , "fromUID" ] } ,
"else" : "… NOOP if PRIORITY 5+"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Login as {thatUser}@{_HOSTNAME} by {fromUID}:sudo" , "details" : "NONE" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"Warn of package errors with loolwsd" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_equals" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "loolwsd" }
} ,
{
"filter" : "filter_pcreAny" ,
"args" : { "field" : "MESSAGE" , "re" : [
"^/usr/bin/loolwsd: error " ,
"^FATAL:" ,
"^Failed "
] } ,
"else" : "… NOOP"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "CollaboraOnline: {MESSAGE}" }
}
] ,
"Notify of certificate renewals" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "dehydrated" }
2018-02-11 13:17:48 +01:00
} ,
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "^ (?:\\+Requesting |rewrite )" } ,
"else" : "… Warn of dehydrated errors"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "ACME: {MESSAGE}" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"… Warn of dehydrated errors" : [
2018-02-11 13:17:48 +01:00
{
2018-03-17 17:46:22 +01:00
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "ERROR|WARNING|FAILURE" } ,
2018-02-11 13:17:48 +01:00
"else" : "… NOOP"
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "WARN" , "message" : "ACME: {MESSAGE}" , "details" : "FIRSTLAST" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"Warn of SpamAssassin update failures" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_equals" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "sa-update" }
2018-02-11 13:17:48 +01:00
} ,
{
2018-03-17 17:46:22 +01:00
"filter" : "filter_equals" ,
"args" : { "field" : "MESSAGE" , "value" : "channel: could not find working mirror, channel failed" } ,
"else" : "… NOOP if PRIORITY 4+"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "INFO" , "message" : "SpamAssassin update failed" , "details" : "FIRSTLAST" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"Warn of local authentication errors" : [
2018-02-11 13:17:48 +01:00
{
2018-03-17 17:46:22 +01:00
"filter" : "filter_equals" ,
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "nslcd" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^\\[[^]]+\\] <([^>]+)> .*Can't contact LDAP server: (.*)$" , "save" : [ "nslcdClient" , "nslcdError" ] } ,
"else" : "… NOOP if PRIORITY 3+"
2018-02-11 13:17:48 +01:00
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "WARN" , "message" : "nslcd: {nslcdError} for {nslcdClient}@{_HOSTNAME}" , "details" : "FIRSTLAST" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"Warn of Nextcloud maintenance errors" : [
2018-02-11 13:17:48 +01:00
{
2018-03-17 17:46:22 +01:00
"filter" : "filter_equals" ,
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "php" }
} ,
{
"filter" : "filter_equals" ,
"args" : { "field" : "MESSAGE" , "value" : "Cannot write into \"config\" directory!" } ,
"else" : "… NOOP if PRIORITY 5+"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "Nextcloud config is read-only!" , "message" : "Nextcloud maintenance could not write to the configuration file on {__REALTIME_TIMESTAMP}." }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Nextcloud maintenance could not write to the configuration file" , "details" : "FIRSTLAST" }
2018-02-11 13:17:48 +01:00
}
] ,
2018-03-17 17:46:22 +01:00
"Warn of systemd-nspawn failures" : [
2018-02-11 13:17:48 +01:00
{
"filter" : "filter_equals" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "systemd-nspawn" }
2018-02-11 13:17:48 +01:00
} ,
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "^(?:\\[FAILED\\] )?Failed to" } ,
2018-02-11 13:17:48 +01:00
"else" : "… NOOP if PRIORITY 4+"
} ,
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "WARN" , "message" : "nspawn: {MESSAGE}" , "details" : "FIRSTLAST" }
}
] ,
"Discard ddclient debug entries" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "ddclient" } ,
"then" : "… NOOP if PRIORITY 6+"
}
] ,
"Warn of core dumps" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "systemd-coredump" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "of user (.*) dumped core\\.$" , "save" : [ "thatUser" ] } ,
"else" : "… NOOP"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "Core dump for {thatUser}@{_HOSTNAME}" }
2018-02-11 13:17:48 +01:00
}
] ,
"Notify of getty user logins" : [
{
"filter" : "filter_pcre" ,
2018-03-17 17:46:22 +01:00
"args" : { "field" : "SYSLOG_IDENTIFIER" , "re" : "login" }
2018-02-11 13:17:48 +01:00
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "session opened for user (.*) by LOGIN\\(uid=0\\)$" , "save" : [ "thatUser" ] } ,
"else" : "… Immediate warning for getty failures"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Login as {thatUser}@{_HOSTNAME} by login:session" }
}
] ,
"… Immediate warning for getty failures" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^FAILED LOGIN " } ,
"else" : "… NOOP if PRIORITY 5+"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "Failed getty login" , "message" : "Failed getty login on {_HOSTNAME} on {__REALTIME_TIMESTAMP}:\n{MESSAGE}" }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Failed getty login on {_HOSTNAME}" }
}
] ,
2018-03-17 17:46:22 +01:00
"Notify of important PHP debug messages" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "SYSLOG_IDENTIFIER" , "value" : "php-fpm" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^\\[[A-Z](?!OTICE)(?!EBUG)" } ,
"else" : "… Notify of PHP error messages"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "PHP: {MESSAGE}" , "details" : "FIRSTLAST" }
}
] ,
"… Notify of PHP error messages" : [
{
"filter" : "filter_lowerOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 3 } ,
"else" : "… NOOP"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "PHP: {MESSAGE}" , "details" : "FIRSTLAST" }
}
] ,
2018-02-11 13:17:48 +01:00
"… NOOP if PRIORITY 3+" : [
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 3 } ,
"then" : "… NOOP"
}
] ,
"… NOOP if PRIORITY 4+" : [
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 4 } ,
"then" : "… NOOP"
}
] ,
"… NOOP if PRIORITY 5+" : [
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 5 } ,
"then" : "… NOOP"
}
] ,
"… NOOP if PRIORITY 6+" : [
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 6 } ,
"then" : "… NOOP"
}
] ,
"… NOOP" : [
{
"action" : "action_noop"
}
] ,
"all_filters_failed" : [
{
"action" : "action_dailyReport" ,
2018-03-17 17:46:22 +01:00
"args" : { "level" : "OTHER" , "message" : "[{PRIORITY}/{SYSLOG_IDENTIFIER}] {_UID}:{_GID}@{_HOSTNAME}:{_CMDLINE} ({_SYSTEMD_UNIT})\n{MESSAGE}" }
2018-02-11 13:17:48 +01:00
}
]
} ,
"email" : {
"from" : "pyruse@example.org" ,
"to" : [
"hostmaster@example.org"
] ,
"subject" : "Pyruse Daily Report" ,
"sendmail" : [ "/usr/bin/sendmail" , "-t" ]
} ,
"nftBan" : {
"nft" : [ "/usr/bin/nft" ]
} ,
2018-03-17 17:46:22 +01:00
"ipsetBan" : {
"ipset" : [ "/usr/bin/ipset" , "-exist" , "-quiet" ]
} ,
2018-02-11 13:17:48 +01:00
"8bit-message-encoding" : "iso-8859-15" ,
"storage" : "/var/lib/pyruse" ,
"debug" : false
}