{ "actions": { "Filter-out uninteresting services’ entries": [ { "filter": "filter_greaterOrEquals", "args": { "field": "PRIORITY", "value": 4 } }, { "filter": "filter_in", "args": { "field": "SYSLOG_IDENTIFIER", "values": [ "exportfs", "gitea", "haproxy", "kill", "ldapsearch", "ldapwhoami", "mandb", "mount.davfs", "movim", "msmtp", "postgres", "prosody_auth", "sa-compile", "systemd-fsck", "systemd-gpt-auto-generator", "systemd-logind" ] }, "then": "… NOOP" } ], "Filter-out uninteresting generic services’ entries": [ { "filter": "filter_greaterOrEquals", "args": { "field": "PRIORITY", "value": 4 } }, { "filter": "filter_pcreAny", "args": { "field": "SYSLOG_IDENTIFIER", "re": [ "^ansible-" ] }, "then": "… NOOP" } ], "Detect request errors with Nextcloud": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "uwsgi" } }, { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^\\[[^]]+\\] ([^ ]+) .*\\] ([A-Z]+ /[^?]*)(?:\\?.*)? => .*\\(HTTP/1.1 5..\\)", "save": [ "thatIP", "HTTPrequest" ] }, "else": "… Report insufficient buffer-size for Nextcloud QUERY_STRING" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "IP {thatIP} failed to {HTTPrequest} on Nextcloud", "details": "FIRSTLAST" } } ], "… Report insufficient buffer-size for Nextcloud QUERY_STRING": [ { "filter": "filter_equals", "args": { "field": "MESSAGE", "value": "not enough buffer space to add QUERY_STRING variable, consider increasing it with the --buffer-size option" }, "else": "… NOOP if PRIORITY 5+" }, { "action": "action_dailyReport", "args": { "level": "WARN", "message": "Nextcloud query failed because the buffer-size was too low" } } ], "Detect successful XMPP logins": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "prosody" } }, { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "Authenticated as (.*)$", "save": [ "JID" ] }, "else": "… Notify of unsecured XMPP servers" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Login as {JID} by XMPP", "details": "NONE" } } ], "… Notify of unsecured XMPP servers": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "->(.*) closed: Encrypted server-to-server communication is required but was not offered$", "save": [ "xmppServer" ] }, "else": "… NOOP if PRIORITY 3+" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "XMPP server {xmppServer} did not provide a secure connection" } } ], "Notify of unexpected HTTP disconnections": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "nginx" } }, { "filter": "filter_pcreAny", "args": { "field": "MESSAGE", "re": [ "epoll_wait\\(\\) reported that client prematurely closed connection, so upstream connection is closed too while sending request to upstream, client: (?P[^,]+), server: , request: \"[^ ]+ (?P/[^/ \"]*)[^\"]*\"", "client prematurely closed connection while sending to client, client: (?P[^,u][^,]+), server: , request: \"[^ ]+ (?P/[^/ \"]*)[^\"]*\"" ] }, "else": "… Warn of CONNECT attempts" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Aborted connection from {thatIP} to {urlPrefix}", "details": "FIRSTLAST" } } ], "… Warn of CONNECT attempts": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": ", request: \"CONNECT [^ ]+ HTTP/[^\"]+\"$" }, "else": "… Discard other HTTP debug entries" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Nginx detected a CONNECT attempt on {_HOSTNAME}" } } ], "… Discard other HTTP debug entries": [ { "filter": "filter_greaterOrEquals", "args": { "field": "PRIORITY", "value": 6 }, "then": "… NOOP", "else": "… Detect successful HTTPS logins" } ], "… Detect successful HTTPS logins": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^.{19} \\[notice\\] [0-9]*#[0-9]*: \\*[0-9]* \\[lua\\] .* authenticate\\(\\): Connected as: ([^,]*), client: ([^,]*),", "save": [ "thatUser", "thatIP" ] }, "else": "… Detect failed HTTPS logins" }, { "action": "action_counterReset", "args": { "counter": "https", "for": "thatIP", "graceSeconds": 432000 } }, { "action": "action_counterReset", "args": { "counter": "https_recidive", "for": "thatIP" } }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Login from {thatIP} as {thatUser}@{_HOSTNAME} by HTTPS", "details": "NONE" } } ], "… Detect failed HTTPS logins": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "Redirect to: https://[^/]*/sso/\\?r=(.*), client: (?P.*), server: , request: \"POST /sso/\\?r=\\1 HTTP/1\\.1\", host: \"[^/]*\", referrer: \"https://[^/]*/sso/\\?r=\\1\"$" }, "else": "… Detect abnormal HTTP 404 errors" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Failed login from {thatIP} on {_HOSTNAME} by HTTPS", "details": "FIRSTLAST" }, "then": "… Check network before an HTTPS ban" } ], "… Detect abnormal HTTP 404 errors": [ { "filter": "filter_pcreAny", "args": { "field": "MESSAGE", "re": [ "open\\(\\) \"[^\"]*\\.(?:cgi|php|pl|py|sh)\" failed \\(2: No such file or directory\\), client: (?P[^,]+),", "Unable to open primary script: .*\\.(?:cgi|php|pl|py|sh) \\(No such file or directory[^,]+, client: (?P[^,]+)," ] }, "then": "… Check network before an HTTPS ban", "else": "… Immediate warning for connectivity errors" } ], "… Check network before an HTTPS ban": [ { "filter": "filter_inNetworks", "args": { "field": "thatIP", "nets": [ "192.168.1.96/29", "127.0.0.0/8", "::1" ] }, "then": "… NOOP", "else": "… Detect repeated HTTPS failures" } ], "… Detect repeated HTTPS failures": [ { "action": "action_counterRaise", "args": { "counter": "https", "for": "thatIP", "keepSeconds": 900, "save": "IPfailures" } }, { "filter": "filter_greaterOrEquals", "args": { "field": "IPfailures", "value": 6 }, "else": "… NOOP" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Ban of IP {thatIP} for HTTP abuse" } }, { "action": "action_log", "args": { "message": "nftBan from HTTP for {thatIP}" } }, { "action": "action_nftBan", "args": { "IP": "thatIP", "banSeconds": 7200, "nftSetIPv4": "ip Inet4 https_ban", "nftSetIPv6": "ip6 Inet6 https_ban" } } ], "… Immediate warning for connectivity errors": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^.{19} \\[crit\\] [0-9]*#[0-9]*: \\*[0-9]* connect\\(\\) to ([^ ]*) failed", "save": [ "nginxUpstream" ] }, "else": "… Immediate warning for module version errors" }, { "action": "action_email", "args": { "subject": "Nginx connectivity error", "message": "Nginx could not connect to {nginxUpstream} on {__REALTIME_TIMESTAMP}." } }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Nginx could not connect to {nginxUpstream}", "details": "FIRSTLAST" } } ], "… Immediate warning for module version errors": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "module \"([^\"]+)\" version [0-9]+ instead of [0-9]+ in /.*$", "save": [ "badModule" ] }, "else": "… Immediate warning for LUA errors" }, { "action": "action_email", "args": { "subject": "Bad Nginx module version", "message": "Nginx could not load a module on {_HOSTNAME}:\n{MESSAGE}." } }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Nginx could not load module {badModule}", "details": "FIRSTLAST" } } ], "… Immediate warning for LUA errors": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "runtime error: ([^ ]+): (.*)$", "save": [ "luaFile", "luaError" ] }, "else": "… Warn of upstream HTTP disconnections" }, { "action": "action_email", "args": { "subject": "Lua error in Nginx", "message": "Lua error at {luaFile}:\n{MESSAGE}." } }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Nginx file {luaFile} ran into error: {luaError}", "details": "FIRSTLAST" } } ], "… Warn of upstream HTTP disconnections": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "(?:upstream prematurely closed connection|Connection reset by peer\\)) while reading response header from upstream.*, request: \"([^?\"]+)[^\"]*\", upstream: \"([^\"]+)\"", "save": [ "failedRequest", "failedUpstream" ] }, "else": "… NOOP if PRIORITY 3+" }, { "action": "action_dailyReport", "args": { "level": "WARN", "message": "Nginx got disconnected from {failedUpstream} on request {failedRequest}", "details": "FIRSTLAST" } } ], "Detect successful IMAP logins": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "dovecot" } }, { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^imap-login: Login: user=<([^>]+)>, method=[^,]*, rip=([^,]+),", "save": [ "thatUser", "thatIP" ] }, "else": "… Detect IMAP resource hogs" }, { "action": "action_counterReset", "args": { "counter": "mail", "for": "thatIP", "graceSeconds": 432000 } }, { "action": "action_counterReset", "args": { "counter": "mail_recidive", "for": "thatIP" } }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Login from {thatIP} as {thatUser}@{_HOSTNAME} by IMAP", "details": "NONE" } } ], "… Detect IMAP resource hogs": [ { "filter": "filter_pcreAny", "args": { "field": "MESSAGE", "re": [ "^imap-login: Disconnected \\(no auth attempts in [0-9]{2,} secs\\): user=<>, rip=(?P[^,]+),", "^imap-login: Disconnected: Too many invalid commands.*, rip=(?P[^,]+)," ] }, "then": "… Check network before an email ban", "else": "… Detect failed IMAP logins" } ], "… Detect failed IMAP logins": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^imap-login: Disconnected \\(auth failed, [0-9]+ attempts in [0-9]+ secs\\): user=<([^>]*)>.*, rip=([^,]+),", "save": [ "thatUser", "thatIP" ] }, "else": "… Discard Dovecot debug entries" }, { "filter": "filter_userExists", "args": { "field": "thatUser" }, "else": "… Report inexisting IMAP user" }, { "action": "action_email", "args": { "subject": "Pyruse Warning", "message": "WARNING: Failed login from {thatIP} as {thatUser}@{_HOSTNAME} by IMAP on {__REALTIME_TIMESTAMP}." } }, { "action": "action_dailyReport", "args": { "level": "WARN", "message": "Failed login from {thatIP} as {thatUser}@{_HOSTNAME} by IMAP", "details": "FIRSTLAST" }, "then": "… Check network before an email ban" } ], "… Report inexisting IMAP user": [ { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Failed login from {thatIP} as {thatUser}@{_HOSTNAME} by IMAP", "details": "FIRSTLAST" }, "then": "… Check network before an email ban" } ], "… Check network before an email ban": [ { "filter": "filter_inNetworks", "args": { "field": "thatIP", "nets": [ "192.168.1.96/29", "127.0.0.0/8", "::1" ] }, "then": "… NOOP", "else": "… Detect repeated mail failures" } ], "… Detect repeated mail failures": [ { "action": "action_counterRaise", "args": { "counter": "mail", "for": "thatIP", "keepSeconds": 86400, "save": "IPfailures" } }, { "filter": "filter_greaterOrEquals", "args": { "field": "IPfailures", "value": 4 }, "else": "… NOOP" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Ban of IP {thatIP} for mail abuse" } }, { "action": "action_log", "args": { "message": "nftBan from email for {thatIP}" } }, { "action": "action_nftBan", "args": { "IP": "thatIP", "banSeconds": 432000, "nftSetIPv4": "ip Inet4 mail_ban", "nftSetIPv6": "ip6 Inet6 mail_ban" } } ], "… Discard Dovecot debug entries": [ { "filter": "filter_greaterOrEquals", "args": { "field": "PRIORITY", "value": 4 }, "then": "… NOOP", "else": "… Warn of Dovecot-to-LDAP errors" } ], "… Warn of Dovecot-to-LDAP errors": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^auth: Error: LDAP: Can't connect to server: ldapi:" }, "else": "… NOOP" }, { "action": "action_email", "args": { "subject": "Dovecot-to-LDAP error", "message": "Dovecot could not connect to LDAP (ldapi) on {__REALTIME_TIMESTAMP}." } }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Dovecot could not connect to LDAP (ldapi)", "details": "FIRSTLAST" } } ], "Notify of Exim smarthost deliveries": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "exim" } }, { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": " => [^ ]+ R=smarthost T=remote_smtp H=([^ ]+ \\[[^]]+\\]) C=\"250 ", "save": [ "smarthost" ] }, "else": "… Notify of Exim local deliveries" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Email message sent through {smarthost}", "details": "NONE" } } ], "… Notify of Exim local deliveries": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "> [^ ]+ Saved\"$" }, "else": "… Frozen Exim email" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Local email message delivered", "details": "NONE" } } ], "… Frozen Exim email": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "Message is frozen$" }, "else": "… Warn of a failure for Exim" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Frozen email on {_HOSTNAME}.", "details": "FIRSTLAST" } } ], "… Warn of a failure for Exim": [ { "filter": "filter_pcreAny", "args": { "field": "MESSAGE", "re": [ "(?Pall spamd servers failed)$", "(?PNetwork is unreachable)$" ] }, "else": "… Immediate ban of crackers" }, { "action": "action_email", "args": { "subject": "Exim detected a failure", "message": "Failure detected by Exim on {_HOSTNAME} on {__REALTIME_TIMESTAMP}:\n{MESSAGE}" } }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Exim detected a failure ({failReason})", "details": "FIRSTLAST" } } ], "… Immediate ban of crackers": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "\\[([^ ]+)\\] NULL character\\(s\\) present \\(shown as '\\?'\\)$", "save": [ "thatIP" ] }, "else": "… Some leniency to allow for manual SMTP" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Ban of IP {thatIP} for mail abuse" } }, { "action": "action_log", "args": { "message": "nftBan from email for {thatIP}" } }, { "action": "action_nftBan", "args": { "IP": "thatIP", "banSeconds": 432000, "nftSetIPv4": "ip Inet4 mail_ban", "nftSetIPv6": "ip6 Inet6 mail_ban" } } ], "… Some leniency to allow for manual SMTP": [ { "filter": "filter_pcreAny", "args": { "field": "MESSAGE", "re": [ "^.{19} SMTP syntax error in \"[^\"]*\" H=(?:\\([^)]*\\) )?\\[(?P[^]]+)\\]", "SMTP command timeout on connection from (?:\\([^)]*\\) )?\\[(?P[^]]+)\\]$" ] }, "then": "… Check network before an email ban", "else": "… Detect some SMTP spammers" } ], "… Detect some SMTP spammers": [ { "filter": "filter_pcreAny", "args": { "field": "MESSAGE", "re": [ "\\[(?P[^ ]+)\\] AUTH command used when not advertised$", "H=(?:\\([^)]*\\) )?\\[(?P[^]]+)\\] .* rejected after DATA: (?:maximum allowed line length is [0-9]+ octets, got [0-9]+|This message scored [0-9.]+ spam points\\.)$", "^.{19} login_server authenticator failed for (?:\\([^)]*\\) )?\\[(?P[^]]+)\\]: 535 Incorrect authentication data", "^.{19} H=(?:\\([^)]*\\) )?\\[(?P[^]]+)\\] .* relay not permitted$", "^.{19} SMTP protocol synchronization error.*: rejected .* H=(?:\\([^)]*\\) )?\\[(?P[^]]+)\\]", "\\[(?P[^ ]+)\\] rejected EXPN root$", "unqualified verify rejected: .* H=(?:\\([^)]*\\) )?\\[(?P[^]]+)\\]$", "rejected because (?P[^ ]+) is in a black list at", "^.{19} rejected [EH]{2}LO from (?:\\([^)]*\\) )?\\[(?P[^]]+)\\]: syntactically invalid", "\\[(?P[^ ]+)\\] dropped: too many nonmail commands" ] }, "then": "… Check network before an email ban", "else": "… NOOP if PRIORITY 5+" } ], "Notify of new custom systemd services": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "systemd" } }, { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^Started (/.*)\\.$", "save": [ "customCmd" ] }, "else": "… Warn of unclean mounts" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Custom systemd service started: {customCmd}" } } ], "… Warn of unclean mounts": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^Directory (/.*) to mount over is not empty, mounting anyway\\.$", "save": [ "mountPath" ] }, "else": "… Notify of systemd-gpt-auto-generator errors" }, { "action": "action_dailyReport", "args": { "level": "WARN", "message": "Device mounted on non-empty {mountPath}" } } ], "… Notify of systemd-gpt-auto-generator errors": [ { "filter": "filter_equals", "args": { "field": "MESSAGE", "value": "/usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with error code 1." }, "else": "… Warn of time-outs" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "{MESSAGE}", "details": "NONE" } } ], "… Warn of time-outs": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^(/.*): Start operation timed out\\. Terminating\\.$", "save": [ "systemdUnit" ] }, "else": "… Notify of user logins" }, { "action": "action_dailyReport", "args": { "level": "WARN", "message": "Unit {systemdUnit}/{_HOSTNAME} timed out while starting" } } ], "… Notify of user logins": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^pam_unix\\(systemd-user:session\\): session opened for user (.*) by root\\(uid=0\\)$", "save": [ "thatUser" ] }, "else": "… Warn of failed systemd units" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Login as {thatUser}@{_HOSTNAME} by systemd-user:session" } } ], "… Warn of failed systemd units": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^(/.*\\.mount|.*\\.service): Failed ", "save": [ "systemdUnit" ] }, "else": "… Discard other systemd debug entries" }, { "action": "action_dailyReport", "args": { "level": "WARN", "message": "Unit {systemdUnit}/{_HOSTNAME} failed" } } ], "… Discard other systemd debug entries": [ { "filter": "filter_greaterOrEquals", "args": { "field": "PRIORITY", "value": 4 }, "then": "… NOOP", "else": "… Notify of systemd failed states" } ], "… Notify of systemd failed states": [ { "action": "action_email", "args": { "subject": "systemd failure", "message": "On {_HOSTNAME} on {__REALTIME_TIMESTAMP}:\n{MESSAGE}" } }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "{MESSAGE}" } } ], "Warn of su errors": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "su" } }, { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^FAILED SU \\([^)]+\\) (.*) on [^ ]+$", "save": [ "thatUser" ] }, "else": "… Notify of su logins" }, { "action": "action_email", "args": { "subject": "SU error!", "message": "SU error from user {thatUser} on {_HOSTNAME} on {__REALTIME_TIMESTAMP}." } }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "SU error from user {thatUser} on {_HOSTNAME}" } } ], "… Notify of su logins": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^\\(to (.*)\\) (.*) on [^ ]+$", "save": [ "thatUser", "fromUser" ] }, "else": "… NOOP if PRIORITY 5+" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Login as {thatUser}@{_HOSTNAME} by {fromUser}:su", "details": "NONE" } } ], "Discard Nextcloud coding errors": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "ownCloud" } }, { "filter": "filter_in", "args": { "field": "PRIORITY", "values": [ 2, 3 ] }, "then": "… NOOP", "else": "… Discard Nextcloud-to-LDAP bind errors" } ], "… Discard Nextcloud-to-LDAP bind errors": [ { "filter": "filter_equals", "args": { "field": "MESSAGE", "value": "{user_ldap} Bind failed: 49: Invalid credentials" }, "then": "… NOOP", "else": "… Notify of Nextcloud upgrades" } ], "… Notify of Nextcloud upgrades": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^\\{core\\} starting upgrade from (.*) to (.*)$", "save": [ "fromVers", "toVers" ] }, "else": "… Detect Nextcloud failed logins" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Nextcloud upgrade from {fromVers} to {toVers}" } } ], "… Detect Nextcloud failed logins": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^\\{core\\} Login failed: '(.*)' \\(Remote IP: '(.*)'\\)", "save": [ "thatUser", "thatIP" ] }, "else": "… Let Nextcloud core messages pass-through" }, { "filter": "filter_userExists", "args": { "field": "thatUser" }, "else": "… Report inexisting Nextcloud user" }, { "action": "action_email", "args": { "subject": "Pyruse Warning", "message": "WARNING: Failed login from {thatIP} as {thatUser}@{_HOSTNAME} on Nextcloud on {__REALTIME_TIMESTAMP}." } }, { "action": "action_dailyReport", "args": { "level": "WARN", "message": "Failed login from {thatIP} as {thatUser}@{_HOSTNAME} on Nextcloud", "details": "FIRSTLAST" }, "then": "… Check network before a Nextcloud ban" } ], "… Report inexisting Nextcloud user": [ { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Failed login from {thatIP} as {thatUser}@{_HOSTNAME} on Nextcloud", "details": "FIRSTLAST" }, "then": "… Check network before a Nextcloud ban" } ], "… Check network before a Nextcloud ban": [ { "filter": "filter_inNetworks", "args": { "field": "thatIP", "nets": [ "192.168.1.96/29", "127.0.0.0/8", "::1" ] }, "then": "… NOOP", "else": "… Detect repeated Nextcloud login failures" } ], "… Detect repeated Nextcloud login failures": [ { "action": "action_counterRaise", "args": { "counter": "https", "for": "thatIP", "keepSeconds": 300, "save": "IPfailures" } }, { "filter": "filter_greaterOrEquals", "args": { "field": "IPfailures", "value": 6 }, "else": "… NOOP" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Ban of IP {thatIP} for HTTP abuse" } }, { "action": "action_log", "args": { "message": "nftBan from HTTP for {thatIP}" } }, { "action": "action_nftBan", "args": { "IP": "thatIP", "banSeconds": 900, "nftSetIPv4": "ip Inet4 https_ban", "nftSetIPv6": "ip6 Inet6 https_ban" } } ], "… Let Nextcloud core messages pass-through": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^\\{" }, "else": "… NOOP if PRIORITY 5+" } ], "Warn of bad SSH configuration": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "sshd" } }, { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^/etc/ssh/sshd_config line " }, "else": "… Detect successful SSH logins" }, { "action": "action_dailyReport", "args": { "level": "WARN", "message": "SSH: {MESSAGE}", "details": "FIRSTLAST" } } ], "… Detect successful SSH logins": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^Accepted (password|publickey) for (.*) from ([^ ]*) port ", "save": [ "SSHmethod", "thatUser", "thatIP" ] }, "else": "… Detect failed SSH logins" }, { "action": "action_counterReset", "args": { "counter": "sshd", "for": "thatIP", "graceSeconds": 432000 } }, { "action": "action_counterReset", "args": { "counter": "sshd_recidive", "for": "thatIP" } }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Login from {thatIP} as {thatUser}@{_HOSTNAME} by SSH {SSHmethod}" } } ], "… Detect failed SSH logins": [ { "filter": "filter_pcreAny", "args": { "field": "MESSAGE", "re": [ "^Failed password for (?P.*) from (?P[^ ]*) port", "^Invalid user (?P.*) from (?P[^ ]*) port", "^User (?P.*) from (?P[^ ]*) not allowed because not listed in AllowUsers$" ] }, "else": "… Forbid antiquated clients" }, { "filter": "filter_userExists", "args": { "field": "thatUser" }, "else": "… Report inexisting SSH user" }, { "action": "action_email", "args": { "subject": "Pyruse Warning", "message": "WARNING: Failed login from {thatIP} as {thatUser}@{_HOSTNAME} by SSH on {__REALTIME_TIMESTAMP}." } }, { "action": "action_dailyReport", "args": { "level": "WARN", "message": "Failed login from {thatIP} as {thatUser}@{_HOSTNAME} by SSH", "details": "FIRSTLAST" }, "then": "… Check network before an SSH ban" } ], "… Report inexisting SSH user": [ { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Failed login from {thatIP} as {thatUser}@{_HOSTNAME} by SSH", "details": "FIRSTLAST" }, "then": "… Check network before an SSH ban" } ], "… Forbid antiquated clients": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^Unable to negotiate with ([^ ]*) port", "save": [ "thatIP" ] }, "then": "… Check network before an SSH ban", "else": "… NOOP if PRIORITY 6+" } ], "… Check network before an SSH ban": [ { "filter": "filter_inNetworks", "args": { "field": "thatIP", "nets": [ "192.168.1.96/29", "127.0.0.0/8", "::1" ] }, "then": "… NOOP", "else": "… Detect repeated SSH login failures" } ], "… Detect repeated SSH login failures": [ { "action": "action_counterRaise", "args": { "counter": "sshd", "for": "thatIP", "keepSeconds": 86400, "save": "IPfailures" } }, { "filter": "filter_greaterOrEquals", "args": { "field": "IPfailures", "value": 4 }, "else": "… NOOP" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Ban of IP {thatIP} for SSH abuse" } }, { "action": "action_log", "args": { "message": "nftBan from SSH for {thatIP}" } }, { "action": "action_nftBan", "args": { "IP": "thatIP", "banSeconds": 432000, "nftSetIPv4": "ip Inet4 sshd_ban", "nftSetIPv6": "ip6 Inet6 sshd_ban" } } ], "Notify of identified SPAM messages": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "spamd" } }, { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^spamd: identified spam" }, "else": "… NOOP if PRIORITY 4+" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Spam identified", "details": "NONE" } } ], "Manage recidives for Pyruse bans from HTTPS": [ { "filter": "filter_in", "args": { "field": "SYSLOG_IDENTIFIER", "values": [ "python", "pyruse" ] } }, { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^nftBan from HTTP for (?P.*)$" }, "else": "… Manage recidives for Pyruse bans from email" }, { "action": "action_counterRaise", "args": { "counter": "https_recidive", "for": "thatIP", "keepSeconds": 432000, "save": "IPfailures" } }, { "filter": "filter_greaterOrEquals", "args": { "field": "IPfailures", "value": 7 }, "else": "… NOOP" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Ban of IP {thatIP} for repeated HTTP abuse" } }, { "action": "action_log", "args": { "message": "Strong nftBan from HTTP for {thatIP}", "level": "WARNING" } }, { "action": "action_nftBan", "args": { "IP": "thatIP", "banSeconds": 2592000, "nftSetIPv4": "ip Inet4 https_ban", "nftSetIPv6": "ip6 Inet6 https_ban" } } ], "… Manage recidives for Pyruse bans from email": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^nftBan from email for (?P.*)$" }, "else": "… Manage recidives for Pyruse bans from SSH" }, { "action": "action_counterRaise", "args": { "counter": "mail_recidive", "for": "thatIP", "keepSeconds": 2592000, "save": "IPfailures" } }, { "filter": "filter_greaterOrEquals", "args": { "field": "IPfailures", "value": 7 }, "else": "… NOOP" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Ban of IP {thatIP} for repeated mail abuse" } }, { "action": "action_log", "args": { "message": "Strong nftBan from email for {thatIP}", "level": "WARNING" } }, { "action": "action_nftBan", "args": { "IP": "thatIP", "banSeconds": 2592000, "nftSetIPv4": "ip Inet4 mail_ban", "nftSetIPv6": "ip6 Inet6 mail_ban" } } ], "… Manage recidives for Pyruse bans from SSH": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^nftBan from SSH for (?P.*)$" } }, { "action": "action_counterRaise", "args": { "counter": "sshd_recidive", "for": "thatIP", "keepSeconds": 2592000, "save": "IPfailures" } }, { "filter": "filter_greaterOrEquals", "args": { "field": "IPfailures", "value": 2 }, "else": "… NOOP" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Ban of IP {thatIP} for repeated SSH abuse" } }, { "action": "action_log", "args": { "message": "Strong nftBan from SSH for {thatIP}", "level": "WARNING" } }, { "action": "action_nftBan", "args": { "IP": "thatIP", "banSeconds": 2592000, "nftSetIPv4": "ip Inet4 sshd_ban", "nftSetIPv6": "ip6 Inet6 sshd_ban" } } ], "Notify of NFS access by clients": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "rpc.mountd" } }, { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^authenticated mount request from (.*):[0-9]+ for (.*) \\(.*\\)$", "save": [ "nfsClient", "nfsPath" ] }, "else": "… NOOP if PRIORITY 5+" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "NFS access from {nfsClient} to {nfsPath}", "details": "NONE" } } ], "Warn of minidlna errors while reading media files": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "minidlnad" } }, { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^metadata\\.c:.*Opening (.*) failed! \\[", "save": [ "fileName" ] }, "else": "… Notify of unhandled formats" }, { "action": "action_dailyReport", "args": { "level": "WARN", "message": "Minidlna error for {fileName}" } } ], "… Notify of unhandled formats": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^metadata\\.c:[0-9]+: warn: (.*): Unhandled format: (.*)$", "save": [ "fileName", "mediaFormat" ] }, "else": "… Warn of permission errors for minidlna" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Minidlna does not handle {mediaFormat} for {fileName}", "details": "NONE" } } ], "… Warn of permission errors for minidlna": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^monitor\\.c:[0-9]+: error: inotify_add_watch\\((.*)\\) \\[Permission non accordée\\]$", "save": [ "fileName" ] }, "else": "… NOOP if PRIORITY 4+" }, { "action": "action_dailyReport", "args": { "level": "WARN", "message": "Minidlna is not allowed to read {fileName}", "details": "FIRSTLAST" } } ], "Warn of sudo errors": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "sudo" } }, { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^ (.*) : user NOT in sudoers ;", "save": [ "thatUser" ] }, "else": "… Notify of sudo logins" }, { "action": "action_email", "args": { "subject": "SUDO error!", "message": "Sudo error from user {thatUser} on {_HOSTNAME} on {__REALTIME_TIMESTAMP}." } }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Sudo error from user {thatUser} on {_HOSTNAME}" } } ], "… Notify of sudo logins": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^pam_unix\\(sudo:session\\): session opened for user (.*) by [^(]*\\(uid=([^)]+)\\)$", "save": [ "thatUser", "fromUID" ] }, "else": "… NOOP if PRIORITY 5+" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Login as {thatUser}@{_HOSTNAME} by {fromUID}:sudo", "details": "NONE" } } ], "Warn of package errors with loolwsd": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "loolwsd" } }, { "filter": "filter_pcreAny", "args": { "field": "MESSAGE", "re": [ "^/usr/bin/loolwsd: error ", "^FATAL:", "^Failed " ] }, "else": "… NOOP" }, { "action": "action_dailyReport", "args": { "level": "WARN", "message": "CollaboraOnline: {MESSAGE}" } } ], "Notify of certificate renewals": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "dehydrated" } }, { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^ (?:\\+Requesting |rewrite )" }, "else": "… Warn of dehydrated errors" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "ACME: {MESSAGE}" } } ], "… Warn of dehydrated errors": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "ERROR|WARNING|FAILURE" }, "else": "… NOOP" }, { "action": "action_dailyReport", "args": { "level": "WARN", "message": "ACME: {MESSAGE}", "details": "FIRSTLAST" } } ], "Warn of SpamAssassin update failures": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "sa-update" } }, { "filter": "filter_equals", "args": { "field": "MESSAGE", "value": "channel: could not find working mirror, channel failed" }, "else": "… NOOP if PRIORITY 4+" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "SpamAssassin update failed", "details": "FIRSTLAST" } } ], "Warn of local authentication errors": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "nslcd" } }, { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^\\[[^]]+\\] <([^>]+)> .*Can't contact LDAP server: (.*)$", "save": [ "nslcdClient", "nslcdError" ] }, "else": "… NOOP if PRIORITY 3+" }, { "action": "action_dailyReport", "args": { "level": "WARN", "message": "nslcd: {nslcdError} for {nslcdClient}@{_HOSTNAME}", "details": "FIRSTLAST" } } ], "Warn of Nextcloud maintenance errors": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "php" } }, { "filter": "filter_equals", "args": { "field": "MESSAGE", "value": "Cannot write into \"config\" directory!" }, "else": "… NOOP if PRIORITY 5+" }, { "action": "action_email", "args": { "subject": "Nextcloud config is read-only!", "message": "Nextcloud maintenance could not write to the configuration file on {__REALTIME_TIMESTAMP}." } }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Nextcloud maintenance could not write to the configuration file", "details": "FIRSTLAST" } } ], "Warn of systemd-nspawn failures": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "systemd-nspawn" } }, { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^(?:\\[FAILED\\] )?Failed to" }, "else": "… NOOP if PRIORITY 4+" }, { "action": "action_dailyReport", "args": { "level": "WARN", "message": "nspawn: {MESSAGE}", "details": "FIRSTLAST" } } ], "Discard ddclient debug entries": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "ddclient" }, "then": "… NOOP if PRIORITY 6+" } ], "Warn of core dumps": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "systemd-coredump" } }, { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "of user (.*) dumped core\\.$", "save": [ "thatUser" ] }, "else": "… NOOP" }, { "action": "action_dailyReport", "args": { "level": "WARN", "message": "Core dump for {thatUser}@{_HOSTNAME}" } } ], "Notify of getty user logins": [ { "filter": "filter_pcre", "args": { "field": "SYSLOG_IDENTIFIER", "re": "login" } }, { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "session opened for user (.*) by LOGIN\\(uid=0\\)$", "save": [ "thatUser" ] }, "else": "… Immediate warning for getty failures" }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Login as {thatUser}@{_HOSTNAME} by login:session" } } ], "… Immediate warning for getty failures": [ { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^FAILED LOGIN " }, "else": "… NOOP if PRIORITY 5+" }, { "action": "action_email", "args": { "subject": "Failed getty login", "message": "Failed getty login on {_HOSTNAME} on {__REALTIME_TIMESTAMP}:\n{MESSAGE}" } }, { "action": "action_dailyReport", "args": { "level": "INFO", "message": "Failed getty login on {_HOSTNAME}" } } ], "Notify of important PHP debug messages": [ { "filter": "filter_equals", "args": { "field": "SYSLOG_IDENTIFIER", "value": "php-fpm" } }, { "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^\\[[A-Z](?!OTICE)(?!EBUG)" }, "else": "… Notify of PHP error messages" }, { "action": "action_dailyReport", "args": { "level": "WARN", "message": "PHP: {MESSAGE}", "details": "FIRSTLAST" } } ], "… Notify of PHP error messages": [ { "filter": "filter_lowerOrEquals", "args": { "field": "PRIORITY", "value": 3 }, "else": "… NOOP" }, { "action": "action_dailyReport", "args": { "level": "WARN", "message": "PHP: {MESSAGE}", "details": "FIRSTLAST" } } ], "… NOOP if PRIORITY 3+": [ { "filter": "filter_greaterOrEquals", "args": { "field": "PRIORITY", "value": 3 }, "then": "… NOOP" } ], "… NOOP if PRIORITY 4+": [ { "filter": "filter_greaterOrEquals", "args": { "field": "PRIORITY", "value": 4 }, "then": "… NOOP" } ], "… NOOP if PRIORITY 5+": [ { "filter": "filter_greaterOrEquals", "args": { "field": "PRIORITY", "value": 5 }, "then": "… NOOP" } ], "… NOOP if PRIORITY 6+": [ { "filter": "filter_greaterOrEquals", "args": { "field": "PRIORITY", "value": 6 }, "then": "… NOOP" } ], "… NOOP": [ { "action": "action_noop" } ], "all_filters_failed": [ { "action": "action_dailyReport", "args": { "level": "OTHER", "message": "[{PRIORITY}/{SYSLOG_IDENTIFIER}] {_UID}:{_GID}@{_HOSTNAME}:{_CMDLINE} ({_SYSTEMD_UNIT})\n{MESSAGE}" } } ] }, "email": { "from": "pyruse@example.org", "to": [ "hostmaster@example.org" ], "subject": "Pyruse Daily Report", "sendmail": [ "/usr/bin/sendmail", "-t" ] }, "nftBan": { "nft": [ "/usr/bin/nft" ] }, "ipsetBan": { "ipset": [ "/usr/bin/ipset", "-exist", "-quiet" ] }, "8bit-message-encoding": "iso-8859-15", "storage": "/var/lib/pyruse", "debug": false }