2018-02-11 13:17:48 +01:00
{
"actions" : {
"Filter-out uninteresting services’ entries" : [
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 4 }
} ,
{
"filter" : "filter_in" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "values" : [ "gitea.service" , "movim.service" , "postgresql.service" , "man-db.service" , "rpc-statd.service" , "rpc-statd-notify.service" , "lvm2-monitor.service" , "lvm2-pvscan@8:1.service" , "lvm2-pvscan@179:2.service" , "systemd-resolved.service" , "systemd-logind.service" , "nfs-server.service" , "systemd-networkd.service" , "systemd-journald.service" , "dbus.service" , "nfs-idmapd.service" , "slapd.service" , "systemd-udevd.service" ] } ,
"then" : "… NOOP"
}
] ,
"Filter-out uninteresting generic services’ entries" : [
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 4 }
} ,
{
"filter" : "filter_pcreAny" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "re" : [ "^systemd-fsck@" ] } ,
"then" : "… NOOP"
}
] ,
"Notify of unsecured XMPP servers" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "prosody.service" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "->(.*) closed: Encrypted server-to-server communication is required but was not offered$" , "save" : [ "xmppServer" ] } ,
"else" : "… NOOP if PRIORITY 3+"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "XMPP server {xmppServer} did not provide a secure connection" }
}
] ,
"Detect request errors with Nextcloud" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "uwsgi@nextcloud.service" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^\\[[^]]+\\] ([^ ]+) .*\\] ([A-Z]+ /[^?]*)(?:\\?.*)? => .*\\(HTTP/1.1 5..\\)" , "save" : [ "thatIP" , "HTTPrequest" ] } ,
"else" : "… Discard Nextcloud coding errors"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "IP {thatIP} failed to {HTTPrequest} on Nextcloud" }
}
] ,
"… Discard Nextcloud coding errors" : [
{
"filter" : "filter_in" ,
"args" : { "field" : "PRIORITY" , "values" : [ 2 , 3 ] } ,
"then" : "… NOOP" ,
"else" : "… Discard Nextcloud-to-LDAP bind errors"
}
] ,
"… Discard Nextcloud-to-LDAP bind errors" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "MESSAGE" , "value" : "{user_ldap} Bind failed: 49: Invalid credentials" } ,
"then" : "… NOOP" ,
"else" : "… Detect Nextcloud failed logins"
}
] ,
"… Detect Nextcloud failed logins" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^\\{core\\} Login failed: '(.*)' \\(Remote IP: '(.*)'\\)" , "save" : [ "thatUser" , "thatIP" ] } ,
"else" : "… Let Nextcloud core messages pass-through"
} ,
{
"filter" : "filter_userExists" ,
"args" : { "field" : "thatUser" } ,
"else" : "… Report inexisting Nextcloud user"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "Pyruse Warning" , "message" : "WARNING: Failed login as {thatUser}@{_HOSTNAME} on Nextcloud on {__REALTIME_TIMESTAMP}." }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "Failed login as {thatUser}@{_HOSTNAME} on Nextcloud" } ,
2018-02-24 21:16:22 +01:00
"then" : "… Do not ban local Nextcloud users"
2018-02-11 13:17:48 +01:00
}
] ,
"… Report inexisting Nextcloud user" : [
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Failed login as {thatUser}@{_HOSTNAME} on Nextcloud" } ,
2018-02-24 21:16:22 +01:00
"then" : "… Do not ban local Nextcloud users"
}
] ,
"… Do not ban local Nextcloud users" : [
{
"action" : "filter_inNetworks" ,
"args" : { "field" : "thatIP" , "nets" : [ "192.168.1.0/24" , "fd00::/8" ] } ,
"then" : "… NOOP" ,
"else" : "… Detect repeated Nextcloud login failures"
2018-02-11 13:17:48 +01:00
}
] ,
"… Detect repeated Nextcloud login failures" : [
{
"action" : "action_counterRaise" ,
"args" : { "counter" : "https" , "for" : "thatIP" , "keepSeconds" : 300 , "save" : "IPfailures" }
} ,
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "IPfailures" , "value" : 6 } ,
"else" : "… NOOP"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Ban of IP {thatIP} for HTTP abuse" }
} ,
{
"action" : "action_nftBan" ,
"args" : { "IP" : "thatIP" , "banSeconds" : 900 , "nftSetIPv4" : "Inet4 https_ban" , "nftSetIPv6" : "Inet6 https_ban" }
}
] ,
"… Let Nextcloud core messages pass-through" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^\\{" } ,
"else" : "… Report Nextcloud failed state"
}
] ,
"… Report Nextcloud failed state" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "MESSAGE" , "value" : "uwsgi@nextcloud.service: Unit entered failed state." } ,
"else" : "… Report insufficient buffer-size for Nextcloud QUERY_STRING"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "Nextcloud crashed" , "message" : "Service uwsgi@nextcloud.service failed on {_HOSTNAME} on {__REALTIME_TIMESTAMP}." }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Service uwsgi@nextcloud.service failed on {_HOSTNAME}" }
}
] ,
"… Report insufficient buffer-size for Nextcloud QUERY_STRING" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "MESSAGE" , "value" : "not enough buffer space to add QUERY_STRING variable, consider increasing it with the --buffer-size option" } ,
"else" : "… NOOP if PRIORITY 5+"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "Nextcloud query failed because the buffer-size was too low" }
}
] ,
"Warn of sudo errors" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "re" : "^session-.*\\.scope$" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^ (.*) : user NOT in sudoers ;" , "save" : [ "thatUser" ] } ,
"else" : "… Warn of su errors"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "SUDO error!" , "message" : "Sudo error from user {thatUser} on {_HOSTNAME} on {__REALTIME_TIMESTAMP}." }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Sudo error from user {thatUser} on {_HOSTNAME}" }
}
] ,
"… Warn of su errors" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^FAILED SU \\([^)]+\\) (.*) on [^ ]+$" , "save" : [ "thatUser" ] } ,
"else" : "… Notify of su logins"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "SU error!" , "message" : "SU error from user {thatUser} on {_HOSTNAME} on {__REALTIME_TIMESTAMP}." }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "SU error from user {thatUser} on {_HOSTNAME}" }
}
] ,
"… Notify of su logins" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^\\(to (.*)\\) (.*) on [^ ]+$" , "save" : [ "thatUser" , "fromUser" ] } ,
"else" : "… Notify of sudo logins"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Login as {thatUser}@{_HOSTNAME} by {fromUser}:su" }
}
] ,
"… Notify of sudo logins" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^pam_unix\\(sudo:session\\): session opened for user (.*) by [^(]*\\(uid=([^)]+)\\)$" , "save" : [ "thatUser" , "fromUID" ] } ,
"else" : "… Notify of Nextcloud upgrades"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Login as {thatUser}@{_HOSTNAME} by {fromUID}:sudo" }
}
] ,
"… Notify of Nextcloud upgrades" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^\\{core\\} starting upgrade from (.*) to (.*)$" , "save" : [ "fromVers" , "toVers" ] } ,
"else" : "… NOOP if PRIORITY 3+"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Nextcloud upgrade from {fromVers} to {toVers}" }
}
] ,
"Discard HTTP debug entries" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "nginx.service" }
} ,
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 6 } ,
"then" : "… NOOP" ,
"else" : "… Detect successful HTTPS logins"
}
] ,
"… Detect successful HTTPS logins" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^.{19} \\[notice\\] [0-9]*#[0-9]*: \\*[0-9]* \\[lua\\] .* authenticate\\(\\): Connected as: ([^,]*), client: ([^,]*)," , "save" : [ "thatUser" , "thatIP" ] } ,
"else" : "… Detect failed HTTPS logins"
} ,
{
"action" : "action_counterReset" ,
"args" : { "counter" : "https" , "for" : "thatIP" , "graceSeconds" : 432000 }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Login as {thatUser}@{_HOSTNAME} by HTTPS" }
}
] ,
"… Detect failed HTTPS logins" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "Redirect to: https://[^/]*yalis\\.fr/sso/\\?r=(.*), client: (?P<thatIP>.*), server: , request: \"POST /sso/\\?r=\\1 HTTP/1\\.1\", host: \"[^/]*yalis\\.fr\", referrer: \"https://[^/]*yalis\\.fr/sso/\\?r=\\1\"$" } ,
"else" : "… Detect abnormal HTTP 404 errors"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Failed login on {_HOSTNAME} by HTTPS" } ,
2018-02-24 21:16:22 +01:00
"then" : "… Do not ban local HTTP users"
2018-02-11 13:17:48 +01:00
}
] ,
"… Detect abnormal HTTP 404 errors" : [
{
"filter" : "filter_pcreAny" ,
"args" : { "field" : "MESSAGE" , "re" : [
"open\\(\\) \"[^\"]*\\.(?:cgi|php|pl|py|sh)\" failed \\(2: No such file or directory\\), client: (?P<thatIP>[^,]+)," ,
"Unable to open primary script: .*\\.(?:cgi|php|pl|py|sh) \\(No such file or directory[^,]+, client: (?P<thatIP>[^,]+),"
] } ,
2018-02-24 21:16:22 +01:00
"then" : "… Do not ban local HTTP users" ,
2018-02-11 13:17:48 +01:00
"else" : "… Immediate warning for connectivity errors"
}
] ,
2018-02-24 21:16:22 +01:00
"… Do not ban local HTTP users" : [
{
"action" : "filter_inNetworks" ,
"args" : { "field" : "thatIP" , "nets" : [ "192.168.1.0/24" , "fd00::/8" ] } ,
"then" : "… NOOP" ,
"else" : "… Detect repeated HTTPS failures"
}
] ,
2018-02-11 13:17:48 +01:00
"… Detect repeated HTTPS failures" : [
{
"action" : "action_counterRaise" ,
"args" : { "counter" : "https" , "for" : "thatIP" , "keepSeconds" : 900 , "save" : "IPfailures" }
} ,
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "IPfailures" , "value" : 6 } ,
"else" : "… NOOP"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Ban of IP {thatIP} for HTTP abuse" }
} ,
{
"action" : "action_nftBan" ,
"args" : { "IP" : "thatIP" , "banSeconds" : 7200 , "nftSetIPv4" : "Inet4 https_ban" , "nftSetIPv6" : "Inet6 https_ban" }
}
] ,
"… Immediate warning for connectivity errors" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^.{19} \\[crit\\] [0-9]*#[0-9]*: \\*[0-9]* connect\\(\\) to ([^ ]*) failed" , "save" : [ "nginxUpstream" ] } ,
"else" : "… Immediate warning for module version errors"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "Nginx connectivity error" , "message" : "Nginx could not connect to {nginxUpstream} on {__REALTIME_TIMESTAMP}." }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Nginx could not connect to {nginxUpstream}" }
}
] ,
"… Immediate warning for module version errors" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "module \"([^\"]+)\" version [0-9]+ instead of [0-9]+ in /.*$" , "save" : [ "badModule" ] } ,
"else" : "… Immediate warning for LUA errors"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "Bad Nginx module version" , "message" : "Nginx could not load a module on {_HOSTNAME}:\n{MESSAGE}." }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Nginx could not load module {badModule}" }
}
] ,
"… Immediate warning for LUA errors" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "runtime error: ([^ ]+): (.*)$" , "save" : [ "luaFile" , "luaError" ] } ,
"else" : "… Warn of upstream HTTP disconnections"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "Lua error in Nginx" , "message" : "Lua error at {luaFile}:\n{MESSAGE}." }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Nginx file {luaFile} ran into error: {luaError}" }
}
] ,
"… Warn of upstream HTTP disconnections" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "(?:upstream prematurely closed connection|Connection reset by peer\\)) while reading response header from upstream.*, request: \"([^?\"]+)[^\"]*\", upstream: \"([^\"]+)\"" , "save" : [ "failedRequest" , "failedUpstream" ] } ,
"else" : "… NOOP if PRIORITY 3+"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "Nginx got disconnected from {failedUpstream} on request {failedRequest}" }
}
] ,
"Detect successful IMAP logins" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "dovecot.service" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^imap-login: Login: user=<([^>]+)>, method=[^,]*, rip=([^,]+)," , "save" : [ "thatUser" , "thatIP" ] } ,
"else" : "… Detect IMAP resource hogs"
} ,
{
"action" : "action_counterReset" ,
"args" : { "counter" : "mail" , "for" : "thatIP" , "graceSeconds" : 432000 }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Login as {thatUser}@{_HOSTNAME} by IMAP" }
}
] ,
"… Detect IMAP resource hogs" : [
{
"filter" : "filter_pcreAny" ,
"args" : { "field" : "MESSAGE" , "re" : [
"^imap-login: Disconnected \\(no auth attempts in [0-9]{2,} secs\\): user=<>, rip=(?P<thatIP>[^,]+)," ,
"^imap-login: Disconnected: Too many invalid commands.*, rip=(?P<thatIP>[^,]+),"
] } ,
2018-02-24 21:16:22 +01:00
"then" : "… Do not ban local mail users" ,
2018-02-11 13:17:48 +01:00
"else" : "… Detect failed IMAP logins"
}
] ,
"… Detect failed IMAP logins" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^imap-login: Disconnected \\(auth failed, [0-9]+ attempts in [0-9]+ secs\\): user=<([^>]*)>.*, rip=([^,]+)," , "save" : [ "thatUser" , "thatIP" ] } ,
"else" : "… Discard Dovecot debug entries"
} ,
{
"filter" : "filter_userExists" ,
"args" : { "field" : "thatUser" } ,
"else" : "… Report inexisting IMAP user"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "Pyruse Warning" , "message" : "WARNING: Failed login as {thatUser}@{_HOSTNAME} by IMAP on {__REALTIME_TIMESTAMP}." }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "Failed login as {thatUser}@{_HOSTNAME} by IMAP" } ,
2018-02-24 21:16:22 +01:00
"then" : "… Do not ban local mail users"
2018-02-11 13:17:48 +01:00
}
] ,
"… Report inexisting IMAP user" : [
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Failed login as {thatUser}@{_HOSTNAME} by IMAP" } ,
2018-02-24 21:16:22 +01:00
"then" : "… Do not ban local mail users"
}
] ,
"… Do not ban local mail users" : [
{
"action" : "filter_inNetworks" ,
"args" : { "field" : "thatIP" , "nets" : [ "192.168.1.0/24" , "fd00::/8" ] } ,
"then" : "… NOOP" ,
"else" : "… Detect repeated mail failures"
2018-02-11 13:17:48 +01:00
}
] ,
"… Detect repeated mail failures" : [
{
"action" : "action_counterRaise" ,
"args" : { "counter" : "mail" , "for" : "thatIP" , "keepSeconds" : 86400 , "save" : "IPfailures" }
} ,
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "IPfailures" , "value" : 4 } ,
"else" : "… NOOP"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Ban of IP {thatIP} for mail abuse" }
} ,
{
"action" : "action_nftBan" ,
"args" : { "IP" : "thatIP" , "banSeconds" : 432000 , "nftSetIPv4" : "Inet4 mail_ban" , "nftSetIPv6" : "Inet6 mail_ban" }
}
] ,
"… Discard Dovecot debug entries" : [
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 4 } ,
"then" : "… NOOP" ,
"else" : "… Warn of Dovecot-to-LDAP errors"
}
] ,
"… Warn of Dovecot-to-LDAP errors" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^auth: Error: LDAP: Can't connect to server: ldapi:" } ,
"else" : "… NOOP"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "Dovecot-to-LDAP error" , "message" : "Dovecot could connect to LDAP (ldapi) on {__REALTIME_TIMESTAMP}." }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Dovecot could connect to LDAP (ldapi)" }
}
] ,
"Notify of Exim smarthost deliveries" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "exim.service" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : " => [^ ]+ R=smarthost T=remote_smtp H=([^ ]+ \\[[^]]+\\]) C=\"250 " , "save" : [ "smarthost" ] } ,
"else" : "… Frozen Exim email"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Email message sent through {smarthost}" }
}
] ,
"… Frozen Exim email" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "Message is frozen$" } ,
"else" : "… Warn of a failure for Exim"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Frozen email on {_HOSTNAME}." }
}
] ,
"… Warn of a failure for Exim" : [
{
"filter" : "filter_pcreAny" ,
"args" : { "field" : "MESSAGE" , "re" : [
"(?P<failReason>all spamd servers failed)$" ,
"(?P<failReason>Network is unreachable)$"
] } ,
"else" : "… Immediate ban of crackers"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "Exim detected a failure" , "message" : "Failure detected by Exim on {_HOSTNAME} on {__REALTIME_TIMESTAMP}:\n{MESSAGE}" }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Exim detected a failure ({failReason})" }
}
] ,
"… Immediate ban of crackers" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "\\[([^ ]+)\\] NULL character\\(s\\) present \\(shown as '\\?'\\)$" , "save" : [ "thatIP" ] } ,
"else" : "… Detect some SMTP spammers"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Ban of IP {thatIP} for mail abuse" }
} ,
{
"action" : "action_nftBan" ,
"args" : { "IP" : "thatIP" , "banSeconds" : 432000 , "nftSetIPv4" : "Inet4 mail_ban" , "nftSetIPv6" : "Inet6 mail_ban" }
}
] ,
"… Detect some SMTP spammers" : [
{
"filter" : "filter_pcreAny" ,
"args" : { "field" : "MESSAGE" , "re" : [
"\\[(?P<thatIP>[^ ]+)\\] AUTH command used when not advertised$" ,
"H=(?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\] .* rejected after DATA: (?:maximum allowed line length is [0-9]+ octets, got [0-9]+|This message scored [0-9.]+ spam points\\.)$" ,
"^.{19} login_server authenticator failed for (?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]: 535 Incorrect authentication data" ,
"^.{19} H=(?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\] .* relay not permitted$" ,
"^.{19} SMTP protocol synchronization error.*: rejected .* H=(?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]" ,
"\\[(?P<thatIP>[^ ]+)\\] rejected EXPN root$" ,
"unqualified verify rejected: .* H=(?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]$" ,
"rejected because (?P<thatIP>[^ ]+) is in a black list at" ,
"^.{19} rejected [EH]{2}LO from (?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]: syntactically invalid" ,
"\\[(?P<thatIP>[^ ]+)\\] dropped: too many nonmail commands"
] } ,
2018-02-24 21:16:22 +01:00
"then" : "… Do not ban local mail users" ,
2018-02-11 13:17:48 +01:00
"else" : "… NOOP if PRIORITY 5+"
}
] ,
"Notify of new custom systemd services" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "init.scope" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^Started (/.*)\\.$" , "save" : [ "customCmd" ] } ,
"else" : "… Warn of unclean mounts"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Custom systemd service started: {customCmd}" }
}
] ,
"… Warn of unclean mounts" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^Directory (/.*) to mount over is not empty, mounting anyway\\.$" , "save" : [ "mountPath" ] } ,
"else" : "… Warn of time-outs"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "Device mounted on non-empty {mountPath}" }
}
] ,
"… Warn of time-outs" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^(/.*): Start operation timed out\\. Terminating\\.$" , "save" : [ "systemdUnit" ] } ,
"else" : "… Warn of failed mounts"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "Unit {systemdUnit} timed out while starting" }
}
] ,
"… Warn of failed mounts" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^(/.*\\.mount): Failed " , "save" : [ "mountUnit" ] } ,
"else" : "… Discard other init.scope debug entries"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "Unit {mountUnit} failed to mount" }
}
] ,
"… Discard other init.scope debug entries" : [
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 4 } ,
"then" : "… NOOP" ,
"else" : "… Notify of systemd failed states"
}
] ,
"… Notify of systemd failed states" : [
{
"action" : "action_email" ,
"args" : { "subject" : "systemd failure" , "message" : "On {_HOSTNAME} on {__REALTIME_TIMESTAMP}:\n{MESSAGE}" }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "{MESSAGE}" }
}
] ,
"Warn of Nextcloud maintenance errors" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "nextcloud-maintenance.service" }
} ,
{
"filter" : "filter_equals" ,
"args" : { "field" : "MESSAGE" , "value" : "Cannot write into \"config\" directory!" } ,
"else" : "… NOOP if PRIORITY 5+"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "Nextcloud config is read-only!" , "message" : "Nextcloud maintenance could not write to the configuration file on {__REALTIME_TIMESTAMP}." }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Nextcloud maintenance could not write to the configuration file" }
}
] ,
"Detect HAProxy problems" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "haproxy.service" } ,
"then" : "… NOOP if PRIORITY 5+"
}
] ,
"Notify of user logins" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "re" : "^user@" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "session opened for user (.*) by root\\(uid=0\\)$" , "save" : [ "thatUser" ] } ,
"else" : "… NOOP if PRIORITY 4+"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Login as {thatUser}@{_HOSTNAME} by systemd-user:session" }
}
] ,
"Warn of minidlna errors while reading media files" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "minidlna.service" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^metadata\\.c:.*Opening (.*) failed! \\[" , "save" : [ "torrentName" ] } ,
"else" : "… Notify of unhandled formats"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "Minidlna error for {torrentName}" }
}
] ,
"… Notify of unhandled formats" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^metadata\\.c:[0-9]+: warn: (.*): Unhandled format: (.*)$" , "save" : [ "torrentName" , "mediaFormat" ] } ,
"else" : "… Warn of permission errors for minidlna"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Minidlna does not handle {mediaFormat} for {torrentName}" }
}
] ,
"… Warn of permission errors for minidlna" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^monitor\\.c:[0-9]+: error: inotify_add_watch\\((.*)\\) \\[Permission non accordée\\]$" , "save" : [ "torrentName" ] } ,
"else" : "… NOOP if PRIORITY 4+"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "Minidlna is not allowed to read {torrentName}" }
}
] ,
"Warn of package errors with loolwsd" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "loolwsd.service" }
} ,
{
"filter" : "filter_pcreAny" ,
"args" : { "field" : "MESSAGE" , "re" : [
"^/usr/bin/loolwsd: error " ,
"^FATAL:" ,
"^Failed "
] } ,
"else" : "… NOOP"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "CollaboraOnline: {MESSAGE}" }
}
] ,
"Warn of bad SSH configuration" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "sshd.service" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^/etc/ssh/sshd_config line " } ,
"else" : "… Detect successful SSH logins"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "SSH: {MESSAGE}" }
}
] ,
"… Detect successful SSH logins" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^Accepted (?:password|publickey) for (.*) from ([^ ]*) port " , "save" : [ "thatUser" , "thatIP" ] } ,
"else" : "… Detect failed SSH logins"
} ,
{
"action" : "action_counterReset" ,
"args" : { "counter" : "sshd" , "for" : "thatIP" , "graceSeconds" : 432000 }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Login as {thatUser}@{_HOSTNAME} by SSH" }
}
] ,
"… Detect failed SSH logins" : [
{
"filter" : "filter_pcreAny" ,
"args" : { "field" : "MESSAGE" , "re" : [
2018-02-24 21:16:22 +01:00
"^Failed password for (?P<thatUser>.*) from (?P<thatIP>[^ ]*) port" ,
"^Invalid user (?P<thatUser>.*) from (?P<thatIP>[^ ]*) port" ,
"^User (?P<thatUser>.*) from (?P<thatIP>[^ ]*) not allowed because not listed in AllowUsers$"
2018-02-11 13:17:48 +01:00
] } ,
"else" : "… Forbid antiquated clients"
} ,
{
"filter" : "filter_userExists" ,
"args" : { "field" : "thatUser" } ,
"else" : "… Report inexisting SSH user"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "Pyruse Warning" , "message" : "WARNING: Failed login as {thatUser}@{_HOSTNAME} by SSH on {__REALTIME_TIMESTAMP}." }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "Failed login as {thatUser}@{_HOSTNAME} by SSH" } ,
2018-02-24 21:16:22 +01:00
"then" : "… Do not ban local SSH users"
2018-02-11 13:17:48 +01:00
}
] ,
"… Report inexisting SSH user" : [
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Failed login as {thatUser}@{_HOSTNAME} by SSH" } ,
2018-02-24 21:16:22 +01:00
"then" : "… Do not ban local SSH users"
2018-02-11 13:17:48 +01:00
}
] ,
"… Forbid antiquated clients" : [
{
"filter" : "filter_pcre" ,
2018-02-24 21:16:22 +01:00
"args" : { "field" : "MESSAGE" , "re" : "^Unable to negotiate with ([^ ]*) port" , "save" : [ "thatIP" ] } ,
"then" : "… Do not ban local SSH users" ,
2018-02-11 13:17:48 +01:00
"else" : "… NOOP if PRIORITY 6+"
}
] ,
2018-02-24 21:16:22 +01:00
"… Do not ban local SSH users" : [
{
"action" : "filter_inNetworks" ,
"args" : { "field" : "thatIP" , "nets" : [ "192.168.1.0/24" , "fd00::/8" ] } ,
"then" : "… NOOP" ,
"else" : "… Detect repeated SSH login failures"
}
] ,
2018-02-11 13:17:48 +01:00
"… Detect repeated SSH login failures" : [
{
"action" : "action_counterRaise" ,
"args" : { "counter" : "sshd" , "for" : "thatIP" , "keepSeconds" : 86400 , "save" : "IPfailures" }
} ,
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "IPfailures" , "value" : 4 } ,
"else" : "… NOOP"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Ban of IP {thatIP} for SSH abuse" }
} ,
{
"action" : "action_nftBan" ,
"args" : { "IP" : "thatIP" , "banSeconds" : 432000 , "nftSetIPv4" : "Inet4 sshd_ban" , "nftSetIPv6" : "Inet6 sshd_ban" }
}
] ,
"Warn of SpamAssassin update failures" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "spamassassin-update.service" }
} ,
{
"filter" : "filter_equals" ,
"args" : { "field" : "MESSAGE" , "value" : "channel: could not find working mirror, channel failed" } ,
"else" : "… NOOP if PRIORITY 4+"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "SpamAssassin update failed" }
}
] ,
"Warn of systemd-nspawn failures" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "systemd-nspawn@seuil3.service" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^(?:\\[FAILED\\] )?Failed to" } ,
"else" : "… NOOP if PRIORITY 4+"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "seuil3: {MESSAGE}" }
}
] ,
"Warn of local authentication errors" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "nslcd.service" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^\\[[^]]+\\] <([^>]+)> .*Can't contact LDAP server: (.*)$" , "save" : [ "nslcdClient" , "nslcdError" ] } ,
"else" : "… NOOP if PRIORITY 3+"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "nslcd: {nslcdError} for {nslcdClient}@{_HOSTNAME}" }
}
] ,
"Discard useless nfs-mountd entries" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "nfs-mountd.service" } ,
"then" : "… NOOP if PRIORITY 5+"
}
] ,
"Notify of certificate renewals" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "dehydrated.service" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^ (?:\\+Requesting |rewrite )" } ,
"else" : "… Warn of dehydrated errors"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "ACME: {MESSAGE}" }
}
] ,
"… Warn of dehydrated errors" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "ERROR|WARNING|FAILURE" } ,
"else" : "… NOOP"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "ACME: {MESSAGE}" }
}
] ,
"Warn of core dumps" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "of user (.*) dumped core\\.$" , "save" : [ "thatUser" ] } ,
"else" : "… Discard other coredump entries"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "Core dump for {thatUser}@{_HOSTNAME}" }
}
] ,
"… Discard other coredump entries" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "re" : "^systemd-coredump@" } ,
"then" : "… NOOP"
}
] ,
"Discard ddclient debug entries" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "re" : "^ddclient@" } ,
"then" : "… NOOP if PRIORITY 6+"
}
] ,
"Notify of important PHP debug messages" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "php-fpm.service" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^\\[[A-Z](?!OTICE)(?!EBUG)" } ,
"else" : "… Notify of PHP error messages"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "PHP: {MESSAGE}" }
}
] ,
"… Notify of PHP error messages" : [
{
"filter" : "filter_lowerOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 3 } ,
"else" : "… NOOP"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "WARN" , "message" : "PHP: {MESSAGE}" }
}
] ,
"Notify of bad torrents" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "transmission.service" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^\\[.{23}\\] (.*[^:]) (?:Scrape error: )?Could not connect to tracker" , "save" : [ "torrentName" ] } ,
"else" : "… Warn of Transmission errors"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Transmission could not connect to tracker for {torrentName}" }
}
] ,
"… Warn of Transmission errors" : [
{
"filter" : "filter_pcreAny" ,
"args" : { "field" : "MESSAGE" , "re" : [
"(?P<errMsg>All nameservers have failed) \\([^():]+:[0-9]+\\)$" ,
"(?P<errMsg>No such file or directory) \\([^():]+:[0-9]+\\)$" ,
"(?P<errMsg>Too many open files) \\([^():]+:[0-9]+\\)$" ,
"(?P<errMsg>Permission denied) \\([^():]+:[0-9]+\\)$"
] } ,
"else" : "… Filter-out uninteresting Transmission events"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Transmission error: {errMsg}" }
}
] ,
"… Filter-out uninteresting Transmission events" : [
{
"filter" : "filter_pcreAny" ,
"args" : { "field" : "MESSAGE" , "re" : [
"^\\[.{23}\\] (?:Bound socket|Cache Maximum cache size set to|RPC Server (?:Adding|Serving|Started|Stopped)|DHT (?:Bootstrapping|Finished bootstrapping|DHT initialized|Initializing|Reusing|Done uninitializing DHT|Saving|Not saving nodes|Uninitializing)|Port Forwarding Stopped|Saved \"|Using settings from|Watching \"|Searching for web interface file \"|Deleting input \\.torrent file|Parsing \\.torrent file successful|watchdir Callback decided to accept|Changed open file limit|(?:SO_RCVBUF|SO_SNDBUF) size is|Closing libevent|Loaded [0-9]+ torrent|watchdir Callback decided|Nameserver |Preallocated file \"|UDP Couldn't parse UDP tracker packet)" ,
"(?:Queued for verification|bytes per second\\)|[vV]erifying torrent\\.*|Announcing to tracker|Retrying (?:announce|scrape) in [0-9]+ seconds\\.|seconds from now\\.|Got [0-9]+ peers from tracker|checking just-completed piece [0-9]+|Starting IPv4 DHT announce \\([^)]+\\)|IPv4 peers from DHT|Pausing|Removing torrent|started|peers from resume file|\\.resume\"|files marked for download|Requested download is not authorized for use with this tracker\\.|Connection failed|\\(No Response\\)|(?:State changed from|moving) \"[^\"]+\" to \"[^\"]+\"|DHT announce done|failed its checksum test|403 \\(Forbidden\\)|404 \\(Not Found\\)|Tracker did not respond) \\([^():]+:[0-9]+\\)$"
] } ,
"then" : "… NOOP"
}
] ,
"Notify of identified SPAM messages" : [
{
"filter" : "filter_equals" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "value" : "spamassassin.service" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^spamd: identified spam" } ,
"else" : "… NOOP if PRIORITY 4+"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Spam identified" }
}
] ,
"Notify of getty user logins" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "_SYSTEMD_UNIT" , "re" : "^getty@" }
} ,
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "session opened for user (.*) by LOGIN\\(uid=0\\)$" , "save" : [ "thatUser" ] } ,
"else" : "… Immediate warning for getty failures"
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Login as {thatUser}@{_HOSTNAME} by login:session" }
}
] ,
"… Immediate warning for getty failures" : [
{
"filter" : "filter_pcre" ,
"args" : { "field" : "MESSAGE" , "re" : "^FAILED LOGIN " } ,
"else" : "… NOOP if PRIORITY 5+"
} ,
{
"action" : "action_email" ,
"args" : { "subject" : "Failed getty login" , "message" : "Failed getty login on {_HOSTNAME} on {__REALTIME_TIMESTAMP}:\n{MESSAGE}" }
} ,
{
"action" : "action_dailyReport" ,
"args" : { "level" : "INFO" , "message" : "Failed getty login on {_HOSTNAME}" }
}
] ,
"… NOOP if PRIORITY 3+" : [
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 3 } ,
"then" : "… NOOP"
}
] ,
"… NOOP if PRIORITY 4+" : [
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 4 } ,
"then" : "… NOOP"
}
] ,
"… NOOP if PRIORITY 5+" : [
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 5 } ,
"then" : "… NOOP"
}
] ,
"… NOOP if PRIORITY 6+" : [
{
"filter" : "filter_greaterOrEquals" ,
"args" : { "field" : "PRIORITY" , "value" : 6 } ,
"then" : "… NOOP"
}
] ,
"… NOOP" : [
{
"action" : "action_noop"
}
] ,
"all_filters_failed" : [
{
"action" : "action_dailyReport" ,
"args" : { "level" : "OTHER" , "message" : "[{PRIORITY}/{SYSLOG_IDENTIFIER}] {_UID}:{_GID}@{_HOSTNAME}:{_CMDLINE} ({_SYSTEMD_UNIT})\n {MESSAGE}" }
}
]
} ,
"email" : {
"from" : "pyruse@example.org" ,
"to" : [
"hostmaster@example.org"
] ,
"subject" : "Pyruse Daily Report" ,
"sendmail" : [ "/usr/bin/sendmail" , "-t" ]
} ,
"nftBan" : {
"nft" : [ "/usr/bin/nft" ]
} ,
"8bit-message-encoding" : "iso-8859-15" ,
"storage" : "/var/lib/pyruse" ,
"debug" : false
}