Lightweight replacement to both epylog and fail2ban.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

114 lines
3.9 KiB

3 years ago
3 years ago
3 years ago
  1. # Built-in filters
  2. Pyruse comes with a few very simple filters.
  3. ## `=`, `≤`, `≥`, `in`
  4. The filters `filter_equals`, `filter_lowerOrEquals`, and `filter_greaterOrEquals` simply check equality or inequality between a given field, given by the parameter `field`, and a constant value, given py the parameter `value`.
  5. Both parameters are mandatory.
  6. Here are two examples:
  7. ```json
  8. {
  9. "filter": "filter_greaterOrEquals",
  10. "args": { "field": "IPfailures", "value": 6 }
  11. }
  12. {
  13. "filter": "filter_equals",
  14. "args": { "field": "_SYSTEMD_UNIT", "value": "nginx.service" }
  15. }
  16. ```
  17. Filter `filter_in` works the same way as `filter_equals` does, except that instead of a single `value`, a `values` list is given, and equality between the field’s contents and any of the list’s items is considered a success.
  18. Here is an example:
  19. ```json
  20. {
  21. "filter": "filter_in",
  22. "args": { "field": "PRIORITY", "values": [ 2, 3 ] }
  23. }
  24. ```
  25. For any of these filters, the constant values must be of the same type as the typical contents of the chosen field.
  26. ## Test if an IP address is part of given networks
  27. Filter `filter_inNetworks` reads an IP address in a field given by the `field` parameter, and a list of networks in the `nets` parameter; each net is written as an IP address, then “`/`”, then an integer network mask.
  28. The filter is passing if the IP address that was read is part of one of the networks configured for the filter.
  29. Here is an example:
  30. ```json
  31. {
  32. "filter": "filter_inNetworks",
  33. "args": { "field": "IP", "nets": [ "fd00::/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ] }
  34. }
  35. ```
  36. ## Perl-compatible regular expressions (pcre)
  37. Filter `filter_pcre` should only be used on character strings.
  38. Like the above filters, it works on a field given by the `field` parameter, and the [regular expression](https://docs.python.org/3/library/re.html) being looked for is given by the `re` parameter.
  39. Both parameters are mandatory.
  40. The regular expression in the `re` parameter may contain capturing groups:
  41. * Named capturing groups use the `(?P<groupName>…)` notation; the captured value is always stored under the key `groupName` in the current entry.
  42. * Anonymous capturing groups stem from the use of simple parenthesis: `(…)`; these are not saved by default, but a `save` parameter (a list) may be specified, so that the captured values get stored in the current entry, using the names given by `save`.
  43. Here are two identical examples:
  44. ```json
  45. {
  46. "filter": "filter_pcre",
  47. "args": {
  48. "field": "MESSAGE",
  49. "re": "^\\{core\\} Login failed: '(.*)' \\(Remote IP: '(.*)'\\)",
  50. "save": [ "thatUser", "thatIP" ]
  51. }
  52. }
  53. {
  54. "filter": "filter_pcre",
  55. "args": {
  56. "field": "MESSAGE",
  57. "re": "^\\{core\\} Login failed: '(?P<thatUser>.*)' \\(Remote IP: '(?P<thatIP>.*)'\\)"
  58. }
  59. }
  60. ```
  61. Filter `filter_pcreAny` is to `filter_pcre` what `filter_in` is to `filter_equals`.
  62. It works the same way as `filter_pcre`, except that instead of a single regular expression, its `re` parameter contains a list of regular expressions, and a match in the field’s contents is accepted with any of these regular expressions.
  63. In contrast with `filter_pcre`, `filter_pcreAny` does not accept the `save` parameter: the order of fields cannot be guaranted to be the same accross several regular expressions.
  64. Here is an example:
  65. ```json
  66. {
  67. "filter": "filter_pcreAny",
  68. "args": {
  69. "field": "MESSAGE",
  70. "re": [
  71. "^Failed password for (?P<thatUser>.*) from (?P<thatIP>(?!192\\.168\\.1\\.201 )[^ ]*) port",
  72. "^Invalid user (?P<thatUser>.*) from (?P<thatIP>(?!192\\.168\\.1\\.201 )[^ ]*) port"
  73. ]
  74. }
  75. }
  76. ```
  77. ## User existence
  78. Filter `filter_userExists` knows of only one —mandatory— parameter: `field`.
  79. This filter is passing, if the system reports the user whose name is the value of the chosen field [as existing](https://docs.python.org/3/library/pwd.html#pwd.getpwnam), and non-passing otherwise.
  80. Here is an example:
  81. ```json
  82. {
  83. "filter": "filter_userExists",
  84. "args": { "field": "thatUser" }
  85. }
  86. ```