yves
/
pyruse
1
0
Fork 1
Code Issues 1 Pull Requests Releases Wiki Activity
pyruse/extra/examples/full_pyruse.json

1212 lines
41 KiB
JSON
Raw Permalink Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

{
"actions": {
"Filter-out uninteresting services entries": [
{
"filter": "filter_greaterOrEquals",
"args": { "field": "PRIORITY", "value": 4 }
},
{
"filter": "filter_in",
"args": { "field": "SYSLOG_IDENTIFIER", "values": [ "exportfs", "gitea", "haproxy", "kill", "ldapsearch", "ldapwhoami", "mandb", "mount.davfs", "movim", "msmtp", "postgres", "prosody_auth", "sa-compile", "systemd-fsck", "systemd-gpt-auto-generator", "systemd-logind" ] },
"then": "… NOOP"
}
],
"Filter-out uninteresting generic services entries": [
{
"filter": "filter_greaterOrEquals",
"args": { "field": "PRIORITY", "value": 4 }
},
{
"filter": "filter_pcreAny",
"args": { "field": "SYSLOG_IDENTIFIER", "re": [ "^ansible-" ] },
"then": "… NOOP"
}
],
"Detect request errors with Nextcloud": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "uwsgi" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^\\[[^]]+\\] ([^ ]+) .*\\] ([A-Z]+ /[^?]*)(?:\\?.*)? => .*\\(HTTP/1.1 5..\\)", "save": [ "thatIP", "HTTPrequest" ] },
"else": "… Report insufficient buffer-size for Nextcloud QUERY_STRING"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "IP {thatIP} failed to {HTTPrequest} on Nextcloud", "details": "FIRSTLAST" }
}
],
"… Report insufficient buffer-size for Nextcloud QUERY_STRING": [
{
"filter": "filter_equals",
"args": { "field": "MESSAGE", "value": "not enough buffer space to add QUERY_STRING variable, consider increasing it with the --buffer-size option" },
"else": "… NOOP if PRIORITY 5+"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Nextcloud query failed because the buffer-size was too low" }
}
],
"Detect successful XMPP logins": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "prosody" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "Authenticated as (.*)$", "save": [ "JID" ] },
"else": "… Notify of unsecured XMPP servers"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Login as {JID} by XMPP", "details": "NONE" }
}
],
"… Notify of unsecured XMPP servers": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "->(.*) closed: Encrypted server-to-server communication is required but was not offered$", "save": [ "xmppServer" ] },
"else": "… NOOP if PRIORITY 3+"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "XMPP server {xmppServer} did not provide a secure connection" }
}
],
"Notify of unexpected HTTP disconnections": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "nginx" }
},
{
"filter": "filter_pcreAny",
"args": { "field": "MESSAGE", "re": [
"epoll_wait\\(\\) reported that client prematurely closed connection, so upstream connection is closed too while sending request to upstream, client: (?P<thatIP>[^,]+), server: , request: \"[^ ]+ (?P<urlPrefix>/[^/ \"]*)[^\"]*\"",
"client prematurely closed connection while sending to client, client: (?P<thatIP>[^,u][^,]+), server: , request: \"[^ ]+ (?P<urlPrefix>/[^/ \"]*)[^\"]*\""
] },
"else": "… Warn of CONNECT attempts"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Aborted connection from {thatIP} to {urlPrefix}", "details": "FIRSTLAST" }
}
],
"… Warn of CONNECT attempts": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": ", request: \"CONNECT [^ ]+ HTTP/[^\"]+\"$" },
"else": "… Discard other HTTP debug entries"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Nginx detected a CONNECT attempt on {_HOSTNAME}" }
}
],
"… Discard other HTTP debug entries": [
{
"filter": "filter_greaterOrEquals",
"args": { "field": "PRIORITY", "value": 6 },
"then": "… NOOP",
"else": "… Detect successful HTTPS logins"
}
],
"… Detect successful HTTPS logins": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^.{19} \\[notice\\] [0-9]*#[0-9]*: \\*[0-9]* \\[lua\\] .* authenticate\\(\\): Connected as: ([^,]*), client: ([^,]*),", "save": [ "thatUser", "thatIP" ] },
"else": "… Detect failed HTTPS logins"
},
{
"action": "action_counterReset",
"args": { "counter": "https", "for": "thatIP", "graceSeconds": 432000 }
},
{
"action": "action_counterReset",
"args": { "counter": "https_recidive", "for": "thatIP" }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Login from {thatIP} as {thatUser}@{_HOSTNAME} by HTTPS", "details": "NONE" }
}
],
"… Detect failed HTTPS logins": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "Redirect to: https://[^/]*/sso/\\?r=(.*), client: (?P<thatIP>.*), server: , request: \"POST /sso/\\?r=\\1 HTTP/1\\.1\", host: \"[^/]*\", referrer: \"https://[^/]*/sso/\\?r=\\1\"$" },
"else": "… Detect abnormal HTTP 404 errors"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Failed login from {thatIP} on {_HOSTNAME} by HTTPS", "details": "FIRSTLAST" },
"then": "… Check network before an HTTPS ban"
}
],
"… Detect abnormal HTTP 404 errors": [
{
"filter": "filter_pcreAny",
"args": { "field": "MESSAGE", "re": [
"open\\(\\) \"[^\"]*\\.(?:cgi|php|pl|py|sh)\" failed \\(2: No such file or directory\\), client: (?P<thatIP>[^,]+),",
"Unable to open primary script: .*\\.(?:cgi|php|pl|py|sh) \\(No such file or directory[^,]+, client: (?P<thatIP>[^,]+),"
] },
"then": "… Check network before an HTTPS ban",
"else": "… Immediate warning for connectivity errors"
}
],
"… Check network before an HTTPS ban": [
{
"filter": "filter_inNetworks",
"args": { "field": "thatIP", "nets": [ "192.168.1.96/29", "127.0.0.0/8", "::1" ] },
"then": "… NOOP",
"else": "… Detect repeated HTTPS failures"
}
],
"… Detect repeated HTTPS failures": [
{
"action": "action_counterRaise",
"args": { "counter": "https", "for": "thatIP", "keepSeconds": 900, "save": "IPfailures" }
},
{
"filter": "filter_greaterOrEquals",
"args": { "field": "IPfailures", "value": 6 },
"else": "… NOOP"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Ban of IP {thatIP} for HTTP abuse" }
},
{
"action": "action_log",
"args": { "message": "nftBan from HTTP for {thatIP}" }
},
{
"action": "action_nftBan",
"args": { "IP": "thatIP", "banSeconds": 7200, "nftSetIPv4": "ip Inet4 https_ban", "nftSetIPv6": "ip6 Inet6 https_ban" }
}
],
"… Immediate warning for connectivity errors": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^.{19} \\[crit\\] [0-9]*#[0-9]*: \\*[0-9]* connect\\(\\) to ([^ ]*) failed", "save": [ "nginxUpstream" ] },
"else": "… Immediate warning for module version errors"
},
{
"action": "action_email",
"args": { "subject": "Nginx connectivity error", "message": "Nginx could not connect to {nginxUpstream} on {__REALTIME_TIMESTAMP}." }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Nginx could not connect to {nginxUpstream}", "details": "FIRSTLAST" }
}
],
"… Immediate warning for module version errors": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "module \"([^\"]+)\" version [0-9]+ instead of [0-9]+ in /.*$", "save": [ "badModule" ] },
"else": "… Immediate warning for LUA errors"
},
{
"action": "action_email",
"args": { "subject": "Bad Nginx module version", "message": "Nginx could not load a module on {_HOSTNAME}:\n{MESSAGE}." }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Nginx could not load module {badModule}", "details": "FIRSTLAST" }
}
],
"… Immediate warning for LUA errors": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "runtime error: ([^ ]+): (.*)$", "save": [ "luaFile", "luaError" ] },
"else": "… Warn of upstream HTTP disconnections"
},
{
"action": "action_email",
"args": { "subject": "Lua error in Nginx", "message": "Lua error at {luaFile}:\n{MESSAGE}." }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Nginx file {luaFile} ran into error: {luaError}", "details": "FIRSTLAST" }
}
],
"… Warn of upstream HTTP disconnections": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "(?:upstream prematurely closed connection|Connection reset by peer\\)) while reading response header from upstream.*, request: \"([^?\"]+)[^\"]*\", upstream: \"([^\"]+)\"", "save": [ "failedRequest", "failedUpstream" ] },
"else": "… NOOP if PRIORITY 3+"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Nginx got disconnected from {failedUpstream} on request {failedRequest}", "details": "FIRSTLAST" }
}
],
"Detect successful IMAP logins": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "dovecot" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^imap-login: Login: user=<([^>]+)>, method=[^,]*, rip=([^,]+),", "save": [ "thatUser", "thatIP" ] },
"else": "… Detect IMAP resource hogs"
},
{
"action": "action_counterReset",
"args": { "counter": "mail", "for": "thatIP", "graceSeconds": 432000 }
},
{
"action": "action_counterReset",
"args": { "counter": "mail_recidive", "for": "thatIP" }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Login from {thatIP} as {thatUser}@{_HOSTNAME} by IMAP", "details": "NONE" }
}
],
"… Detect IMAP resource hogs": [
{
"filter": "filter_pcreAny",
"args": { "field": "MESSAGE", "re": [
"^imap-login: Disconnected \\(no auth attempts in [0-9]{2,} secs\\): user=<>, rip=(?P<thatIP>[^,]+),",
"^imap-login: Disconnected: Too many invalid commands.*, rip=(?P<thatIP>[^,]+),"
] },
"then": "… Check network before an email ban",
"else": "… Detect failed IMAP logins"
}
],
"… Detect failed IMAP logins": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^imap-login: Disconnected \\(auth failed, [0-9]+ attempts in [0-9]+ secs\\): user=<([^>]*)>.*, rip=([^,]+),", "save": [ "thatUser", "thatIP" ] },
"else": "… Discard Dovecot debug entries"
},
{
"filter": "filter_userExists",
"args": { "field": "thatUser" },
"else": "… Report inexisting IMAP user"
},
{
"action": "action_email",
"args": { "subject": "Pyruse Warning", "message": "WARNING: Failed login from {thatIP} as {thatUser}@{_HOSTNAME} by IMAP on {__REALTIME_TIMESTAMP}." }
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Failed login from {thatIP} as {thatUser}@{_HOSTNAME} by IMAP", "details": "FIRSTLAST" },
"then": "… Check network before an email ban"
}
],
"… Report inexisting IMAP user": [
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Failed login from {thatIP} as {thatUser}@{_HOSTNAME} by IMAP", "details": "FIRSTLAST" },
"then": "… Check network before an email ban"
}
],
"… Check network before an email ban": [
{
"filter": "filter_inNetworks",
"args": { "field": "thatIP", "nets": [ "192.168.1.96/29", "127.0.0.0/8", "::1" ] },
"then": "… NOOP",
"else": "… Detect repeated mail failures"
}
],
"… Detect repeated mail failures": [
{
"action": "action_counterRaise",
"args": { "counter": "mail", "for": "thatIP", "keepSeconds": 86400, "save": "IPfailures" }
},
{
"filter": "filter_greaterOrEquals",
"args": { "field": "IPfailures", "value": 4 },
"else": "… NOOP"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Ban of IP {thatIP} for mail abuse" }
},
{
"action": "action_log",
"args": { "message": "nftBan from email for {thatIP}" }
},
{
"action": "action_nftBan",
"args": { "IP": "thatIP", "banSeconds": 432000, "nftSetIPv4": "ip Inet4 mail_ban", "nftSetIPv6": "ip6 Inet6 mail_ban" }
}
],
"… Discard Dovecot debug entries": [
{
"filter": "filter_greaterOrEquals",
"args": { "field": "PRIORITY", "value": 4 },
"then": "… NOOP",
"else": "… Warn of Dovecot-to-LDAP errors"
}
],
"… Warn of Dovecot-to-LDAP errors": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^auth: Error: LDAP: Can't connect to server: ldapi:" },
"else": "… NOOP"
},
{
"action": "action_email",
"args": { "subject": "Dovecot-to-LDAP error", "message": "Dovecot could not connect to LDAP (ldapi) on {__REALTIME_TIMESTAMP}." }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Dovecot could not connect to LDAP (ldapi)", "details": "FIRSTLAST" }
}
],
"Notify of Exim smarthost deliveries": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "exim" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": " => [^ ]+ R=smarthost T=remote_smtp H=([^ ]+ \\[[^]]+\\]) C=\"250 ", "save": [ "smarthost" ] },
"else": "… Notify of Exim local deliveries"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Email message sent through {smarthost}", "details": "NONE" }
}
],
"… Notify of Exim local deliveries": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "> [^ ]+ Saved\"$" },
"else": "… Frozen Exim email"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Local email message delivered", "details": "NONE" }
}
],
"… Frozen Exim email": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "Message is frozen$" },
"else": "… Warn of a failure for Exim"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Frozen email on {_HOSTNAME}.", "details": "FIRSTLAST" }
}
],
"… Warn of a failure for Exim": [
{
"filter": "filter_pcreAny",
"args": { "field": "MESSAGE", "re": [
"(?P<failReason>all spamd servers failed)$",
"(?P<failReason>Network is unreachable)$"
] },
"else": "… Immediate ban of crackers"
},
{
"action": "action_email",
"args": { "subject": "Exim detected a failure", "message": "Failure detected by Exim on {_HOSTNAME} on {__REALTIME_TIMESTAMP}:\n{MESSAGE}" }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Exim detected a failure ({failReason})", "details": "FIRSTLAST" }
}
],
"… Immediate ban of crackers": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "\\[([^ ]+)\\] NULL character\\(s\\) present \\(shown as '\\?'\\)$", "save": [ "thatIP" ] },
"else": "… Some leniency to allow for manual SMTP"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Ban of IP {thatIP} for mail abuse" }
},
{
"action": "action_log",
"args": { "message": "nftBan from email for {thatIP}" }
},
{
"action": "action_nftBan",
"args": { "IP": "thatIP", "banSeconds": 432000, "nftSetIPv4": "ip Inet4 mail_ban", "nftSetIPv6": "ip6 Inet6 mail_ban" }
}
],
"… Some leniency to allow for manual SMTP": [
{
"filter": "filter_pcreAny",
"args": { "field": "MESSAGE", "re": [
"^.{19} SMTP syntax error in \"[^\"]*\" H=(?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]",
"SMTP command timeout on connection from (?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]$"
] },
"then": "… Check network before an email ban",
"else": "… Detect some SMTP spammers"
}
],
"… Detect some SMTP spammers": [
{
"filter": "filter_pcreAny",
"args": { "field": "MESSAGE", "re": [
"\\[(?P<thatIP>[^ ]+)\\] AUTH command used when not advertised$",
"H=(?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\] .* rejected after DATA: (?:maximum allowed line length is [0-9]+ octets, got [0-9]+|This message scored [0-9.]+ spam points\\.)$",
"^.{19} login_server authenticator failed for (?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]: 535 Incorrect authentication data",
"^.{19} H=(?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\] .* relay not permitted$",
"^.{19} SMTP protocol synchronization error.*: rejected .* H=(?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]",
"\\[(?P<thatIP>[^ ]+)\\] rejected EXPN root$",
"unqualified verify rejected: .* H=(?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]$",
"rejected because (?P<thatIP>[^ ]+) is in a black list at",
"^.{19} rejected [EH]{2}LO from (?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]: syntactically invalid",
"\\[(?P<thatIP>[^ ]+)\\] dropped: too many nonmail commands"
] },
"then": "… Check network before an email ban",
"else": "… NOOP if PRIORITY 5+"
}
],
"Notify of new custom systemd services": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "systemd" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^Started (/.*)\\.$", "save": [ "customCmd" ] },
"else": "… Warn of unclean mounts"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Custom systemd service started: {customCmd}" }
}
],
"… Warn of unclean mounts": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^Directory (/.*) to mount over is not empty, mounting anyway\\.$", "save": [ "mountPath" ] },
"else": "… Notify of systemd-gpt-auto-generator errors"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Device mounted on non-empty {mountPath}" }
}
],
"… Notify of systemd-gpt-auto-generator errors": [
{
"filter": "filter_equals",
"args": { "field": "MESSAGE", "value": "/usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with error code 1." },
"else": "… Warn of time-outs"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "{MESSAGE}", "details": "NONE" }
}
],
"… Warn of time-outs": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^(/.*): Start operation timed out\\. Terminating\\.$", "save": [ "systemdUnit" ] },
"else": "… Notify of user logins"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Unit {systemdUnit}/{_HOSTNAME} timed out while starting" }
}
],
"… Notify of user logins": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^pam_unix\\(systemd-user:session\\): session opened for user (.*) by root\\(uid=0\\)$", "save": [ "thatUser" ] },
"else": "… Warn of failed systemd units"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Login as {thatUser}@{_HOSTNAME} by systemd-user:session" }
}
],
"… Warn of failed systemd units": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^(/.*\\.mount|.*\\.service): Failed ", "save": [ "systemdUnit" ] },
"else": "… Discard other systemd debug entries"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Unit {systemdUnit}/{_HOSTNAME} failed" }
}
],
"… Discard other systemd debug entries": [
{
"filter": "filter_greaterOrEquals",
"args": { "field": "PRIORITY", "value": 4 },
"then": "… NOOP",
"else": "… Notify of systemd failed states"
}
],
"… Notify of systemd failed states": [
{
"action": "action_email",
"args": { "subject": "systemd failure", "message": "On {_HOSTNAME} on {__REALTIME_TIMESTAMP}:\n{MESSAGE}" }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "{MESSAGE}" }
}
],
"Warn of su errors": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "su" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^FAILED SU \\([^)]+\\) (.*) on [^ ]+$", "save": [ "thatUser" ] },
"else": "… Notify of su logins"
},
{
"action": "action_email",
"args": { "subject": "SU error!", "message": "SU error from user {thatUser} on {_HOSTNAME} on {__REALTIME_TIMESTAMP}." }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "SU error from user {thatUser} on {_HOSTNAME}" }
}
],
"… Notify of su logins": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^\\(to (.*)\\) (.*) on [^ ]+$", "save": [ "thatUser", "fromUser" ] },
"else": "… NOOP if PRIORITY 5+"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Login as {thatUser}@{_HOSTNAME} by {fromUser}:su", "details": "NONE" }
}
],
"Discard Nextcloud coding errors": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "ownCloud" }
},
{
"filter": "filter_in",
"args": { "field": "PRIORITY", "values": [ 2, 3 ] },
"then": "… NOOP",
"else": "… Discard Nextcloud-to-LDAP bind errors"
}
],
"… Discard Nextcloud-to-LDAP bind errors": [
{
"filter": "filter_equals",
"args": { "field": "MESSAGE", "value": "{user_ldap} Bind failed: 49: Invalid credentials" },
"then": "… NOOP",
"else": "… Notify of Nextcloud upgrades"
}
],
"… Notify of Nextcloud upgrades": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^\\{core\\} starting upgrade from (.*) to (.*)$", "save": [ "fromVers", "toVers" ] },
"else": "… Detect Nextcloud failed logins"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Nextcloud upgrade from {fromVers} to {toVers}" }
}
],
"… Detect Nextcloud failed logins": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^\\{core\\} Login failed: '(.*)' \\(Remote IP: '(.*)'\\)", "save": [ "thatUser", "thatIP" ] },
"else": "… Let Nextcloud core messages pass-through"
},
{
"filter": "filter_userExists",
"args": { "field": "thatUser" },
"else": "… Report inexisting Nextcloud user"
},
{
"action": "action_email",
"args": { "subject": "Pyruse Warning", "message": "WARNING: Failed login from {thatIP} as {thatUser}@{_HOSTNAME} on Nextcloud on {__REALTIME_TIMESTAMP}." }
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Failed login from {thatIP} as {thatUser}@{_HOSTNAME} on Nextcloud", "details": "FIRSTLAST" },
"then": "… Check network before a Nextcloud ban"
}
],
"… Report inexisting Nextcloud user": [
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Failed login from {thatIP} as {thatUser}@{_HOSTNAME} on Nextcloud", "details": "FIRSTLAST" },
"then": "… Check network before a Nextcloud ban"
}
],
"… Check network before a Nextcloud ban": [
{
"filter": "filter_inNetworks",
"args": { "field": "thatIP", "nets": [ "192.168.1.96/29", "127.0.0.0/8", "::1" ] },
"then": "… NOOP",
"else": "… Detect repeated Nextcloud login failures"
}
],
"… Detect repeated Nextcloud login failures": [
{
"action": "action_counterRaise",
"args": { "counter": "https", "for": "thatIP", "keepSeconds": 300, "save": "IPfailures" }
},
{
"filter": "filter_greaterOrEquals",
"args": { "field": "IPfailures", "value": 6 },
"else": "… NOOP"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Ban of IP {thatIP} for HTTP abuse" }
},
{
"action": "action_log",
"args": { "message": "nftBan from HTTP for {thatIP}" }
},
{
"action": "action_nftBan",
"args": { "IP": "thatIP", "banSeconds": 900, "nftSetIPv4": "ip Inet4 https_ban", "nftSetIPv6": "ip6 Inet6 https_ban" }
}
],
"… Let Nextcloud core messages pass-through": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^\\{" },
"else": "… NOOP if PRIORITY 5+"
}
],
"Warn of bad SSH configuration": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "sshd" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^/etc/ssh/sshd_config line " },
"else": "… Detect successful SSH logins"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "SSH: {MESSAGE}", "details": "FIRSTLAST" }
}
],
"… Detect successful SSH logins": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^Accepted (password|publickey) for (.*) from ([^ ]*) port ", "save": [ "SSHmethod", "thatUser", "thatIP" ] },
"else": "… Detect failed SSH logins"
},
{
"action": "action_counterReset",
"args": { "counter": "sshd", "for": "thatIP", "graceSeconds": 432000 }
},
{
"action": "action_counterReset",
"args": { "counter": "sshd_recidive", "for": "thatIP" }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Login from {thatIP} as {thatUser}@{_HOSTNAME} by SSH {SSHmethod}" }
}
],
"… Detect failed SSH logins": [
{
"filter": "filter_pcreAny",
"args": { "field": "MESSAGE", "re": [
"^Failed password for (?P<thatUser>.*) from (?P<thatIP>[^ ]*) port",
"^Invalid user (?P<thatUser>.*) from (?P<thatIP>[^ ]*) port",
"^User (?P<thatUser>.*) from (?P<thatIP>[^ ]*) not allowed because not listed in AllowUsers$"
] },
"else": "… Forbid antiquated clients"
},
{
"filter": "filter_userExists",
"args": { "field": "thatUser" },
"else": "… Report inexisting SSH user"
},
{
"action": "action_email",
"args": { "subject": "Pyruse Warning", "message": "WARNING: Failed login from {thatIP} as {thatUser}@{_HOSTNAME} by SSH on {__REALTIME_TIMESTAMP}." }
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Failed login from {thatIP} as {thatUser}@{_HOSTNAME} by SSH", "details": "FIRSTLAST" },
"then": "… Check network before an SSH ban"
}
],
"… Report inexisting SSH user": [
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Failed login from {thatIP} as {thatUser}@{_HOSTNAME} by SSH", "details": "FIRSTLAST" },
"then": "… Check network before an SSH ban"
}
],
"… Forbid antiquated clients": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^Unable to negotiate with ([^ ]*) port", "save": [ "thatIP" ] },
"then": "… Check network before an SSH ban",
"else": "… NOOP if PRIORITY 6+"
}
],
"… Check network before an SSH ban": [
{
"filter": "filter_inNetworks",
"args": { "field": "thatIP", "nets": [ "192.168.1.96/29", "127.0.0.0/8", "::1" ] },
"then": "… NOOP",
"else": "… Detect repeated SSH login failures"
}
],
"… Detect repeated SSH login failures": [
{
"action": "action_counterRaise",
"args": { "counter": "sshd", "for": "thatIP", "keepSeconds": 86400, "save": "IPfailures" }
},
{
"filter": "filter_greaterOrEquals",
"args": { "field": "IPfailures", "value": 4 },
"else": "… NOOP"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Ban of IP {thatIP} for SSH abuse" }
},
{
"action": "action_log",
"args": { "message": "nftBan from SSH for {thatIP}" }
},
{
"action": "action_nftBan",
"args": { "IP": "thatIP", "banSeconds": 432000, "nftSetIPv4": "ip Inet4 sshd_ban", "nftSetIPv6": "ip6 Inet6 sshd_ban" }
}
],
"Notify of identified SPAM messages": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "spamd" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^spamd: identified spam" },
"else": "… NOOP if PRIORITY 4+"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Spam identified", "details": "NONE" }
}
],
"Manage recidives for Pyruse bans from HTTPS": [
{
"filter": "filter_in",
"args": { "field": "SYSLOG_IDENTIFIER", "values": [ "python", "pyruse" ] }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^nftBan from HTTP for (?P<thatIP>.*)$" },
"else": "… Manage recidives for Pyruse bans from email"
},
{
"action": "action_counterRaise",
"args": { "counter": "https_recidive", "for": "thatIP", "keepSeconds": 432000, "save": "IPfailures" }
},
{
"filter": "filter_greaterOrEquals",
"args": { "field": "IPfailures", "value": 7 },
"else": "… NOOP"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Ban of IP {thatIP} for repeated HTTP abuse" }
},
{
"action": "action_log",
"args": { "message": "Strong nftBan from HTTP for {thatIP}", "level": "WARNING" }
},
{
"action": "action_nftBan",
"args": { "IP": "thatIP", "banSeconds": 2592000, "nftSetIPv4": "ip Inet4 https_ban", "nftSetIPv6": "ip6 Inet6 https_ban" }
}
],
"… Manage recidives for Pyruse bans from email": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^nftBan from email for (?P<thatIP>.*)$" },
"else": "… Manage recidives for Pyruse bans from SSH"
},
{
"action": "action_counterRaise",
"args": { "counter": "mail_recidive", "for": "thatIP", "keepSeconds": 2592000, "save": "IPfailures" }
},
{
"filter": "filter_greaterOrEquals",
"args": { "field": "IPfailures", "value": 7 },
"else": "… NOOP"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Ban of IP {thatIP} for repeated mail abuse" }
},
{
"action": "action_log",
"args": { "message": "Strong nftBan from email for {thatIP}", "level": "WARNING" }
},
{
"action": "action_nftBan",
"args": { "IP": "thatIP", "banSeconds": 2592000, "nftSetIPv4": "ip Inet4 mail_ban", "nftSetIPv6": "ip6 Inet6 mail_ban" }
}
],
"… Manage recidives for Pyruse bans from SSH": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^nftBan from SSH for (?P<thatIP>.*)$" }
},
{
"action": "action_counterRaise",
"args": { "counter": "sshd_recidive", "for": "thatIP", "keepSeconds": 2592000, "save": "IPfailures" }
},
{
"filter": "filter_greaterOrEquals",
"args": { "field": "IPfailures", "value": 2 },
"else": "… NOOP"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Ban of IP {thatIP} for repeated SSH abuse" }
},
{
"action": "action_log",
"args": { "message": "Strong nftBan from SSH for {thatIP}", "level": "WARNING" }
},
{
"action": "action_nftBan",
"args": { "IP": "thatIP", "banSeconds": 2592000, "nftSetIPv4": "ip Inet4 sshd_ban", "nftSetIPv6": "ip6 Inet6 sshd_ban" }
}
],
"Notify of NFS access by clients": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "rpc.mountd" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^authenticated mount request from (.*):[0-9]+ for (.*) \\(.*\\)$", "save": [ "nfsClient", "nfsPath" ] },
"else": "… NOOP if PRIORITY 5+"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "NFS access from {nfsClient} to {nfsPath}", "details": "NONE" }
}
],
"Warn of minidlna errors while reading media files": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "minidlnad" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^metadata\\.c:.*Opening (.*) failed! \\[", "save": [ "fileName" ] },
"else": "… Notify of unhandled formats"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Minidlna error for {fileName}" }
}
],
"… Notify of unhandled formats": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^metadata\\.c:[0-9]+: warn: (.*): Unhandled format: (.*)$", "save": [ "fileName", "mediaFormat" ] },
"else": "… Warn of permission errors for minidlna"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Minidlna does not handle {mediaFormat} for {fileName}", "details": "NONE" }
}
],
"… Warn of permission errors for minidlna": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^monitor\\.c:[0-9]+: error: inotify_add_watch\\((.*)\\) \\[Permission non accordée\\]$", "save": [ "fileName" ] },
"else": "… NOOP if PRIORITY 4+"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Minidlna is not allowed to read {fileName}", "details": "FIRSTLAST" }
}
],
"Warn of sudo errors": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "sudo" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^ (.*) : user NOT in sudoers ;", "save": [ "thatUser" ] },
"else": "… Notify of sudo logins"
},
{
"action": "action_email",
"args": { "subject": "SUDO error!", "message": "Sudo error from user {thatUser} on {_HOSTNAME} on {__REALTIME_TIMESTAMP}." }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Sudo error from user {thatUser} on {_HOSTNAME}" }
}
],
"… Notify of sudo logins": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^pam_unix\\(sudo:session\\): session opened for user (.*) by [^(]*\\(uid=([^)]+)\\)$", "save": [ "thatUser", "fromUID" ] },
"else": "… NOOP if PRIORITY 5+"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Login as {thatUser}@{_HOSTNAME} by {fromUID}:sudo", "details": "NONE" }
}
],
"Warn of package errors with loolwsd": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "loolwsd" }
},
{
"filter": "filter_pcreAny",
"args": { "field": "MESSAGE", "re": [
"^/usr/bin/loolwsd: error ",
"^FATAL:",
"^Failed "
] },
"else": "… NOOP"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "CollaboraOnline: {MESSAGE}" }
}
],
"Notify of certificate renewals": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "dehydrated" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^ (?:\\+Requesting |rewrite )" },
"else": "… Warn of dehydrated errors"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "ACME: {MESSAGE}" }
}
],
"… Warn of dehydrated errors": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "ERROR|WARNING|FAILURE" },
"else": "… NOOP"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "ACME: {MESSAGE}", "details": "FIRSTLAST" }
}
],
"Warn of SpamAssassin update failures": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "sa-update" }
},
{
"filter": "filter_equals",
"args": { "field": "MESSAGE", "value": "channel: could not find working mirror, channel failed" },
"else": "… NOOP if PRIORITY 4+"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "SpamAssassin update failed", "details": "FIRSTLAST" }
}
],
"Warn of local authentication errors": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "nslcd" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^\\[[^]]+\\] <([^>]+)> .*Can't contact LDAP server: (.*)$", "save": [ "nslcdClient", "nslcdError" ] },
"else": "… NOOP if PRIORITY 3+"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "nslcd: {nslcdError} for {nslcdClient}@{_HOSTNAME}", "details": "FIRSTLAST" }
}
],
"Warn of Nextcloud maintenance errors": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "php" }
},
{
"filter": "filter_equals",
"args": { "field": "MESSAGE", "value": "Cannot write into \"config\" directory!" },
"else": "… NOOP if PRIORITY 5+"
},
{
"action": "action_email",
"args": { "subject": "Nextcloud config is read-only!", "message": "Nextcloud maintenance could not write to the configuration file on {__REALTIME_TIMESTAMP}." }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Nextcloud maintenance could not write to the configuration file", "details": "FIRSTLAST" }
}
],
"Warn of systemd-nspawn failures": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "systemd-nspawn" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^(?:\\[FAILED\\] )?Failed to" },
"else": "… NOOP if PRIORITY 4+"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "nspawn: {MESSAGE}", "details": "FIRSTLAST" }
}
],
"Discard ddclient debug entries": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "ddclient" },
"then": "… NOOP if PRIORITY 6+"
}
],
"Warn of core dumps": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "systemd-coredump" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "of user (.*) dumped core\\.$", "save": [ "thatUser" ] },
"else": "… NOOP"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Core dump for {thatUser}@{_HOSTNAME}" }
}
],
"Notify of getty user logins": [
{
"filter": "filter_pcre",
"args": { "field": "SYSLOG_IDENTIFIER", "re": "login" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "session opened for user (.*) by LOGIN\\(uid=0\\)$", "save": [ "thatUser" ] },
"else": "… Immediate warning for getty failures"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Login as {thatUser}@{_HOSTNAME} by login:session" }
}
],
"… Immediate warning for getty failures": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^FAILED LOGIN " },
"else": "… NOOP if PRIORITY 5+"
},
{
"action": "action_email",
"args": { "subject": "Failed getty login", "message": "Failed getty login on {_HOSTNAME} on {__REALTIME_TIMESTAMP}:\n{MESSAGE}" }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Failed getty login on {_HOSTNAME}" }
}
],
"Notify of important PHP debug messages": [
{
"filter": "filter_equals",
"args": { "field": "SYSLOG_IDENTIFIER", "value": "php-fpm" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^\\[[A-Z](?!OTICE)(?!EBUG)" },
"else": " Notify of PHP error messages"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "PHP: {MESSAGE}", "details": "FIRSTLAST" }
}
],
" Notify of PHP error messages": [
{
"filter": "filter_lowerOrEquals",
"args": { "field": "PRIORITY", "value": 3 },
"else": " NOOP"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "PHP: {MESSAGE}", "details": "FIRSTLAST" }
}
],
" NOOP if PRIORITY 3+": [
{
"filter": "filter_greaterOrEquals",
"args": { "field": "PRIORITY", "value": 3 },
"then": " NOOP"
}
],
" NOOP if PRIORITY 4+": [
{
"filter": "filter_greaterOrEquals",
"args": { "field": "PRIORITY", "value": 4 },
"then": " NOOP"
}
],
" NOOP if PRIORITY 5+": [
{
"filter": "filter_greaterOrEquals",
"args": { "field": "PRIORITY", "value": 5 },
"then": " NOOP"
}
],
" NOOP if PRIORITY 6+": [
{
"filter": "filter_greaterOrEquals",
"args": { "field": "PRIORITY", "value": 6 },
"then": " NOOP"
}
],
" NOOP": [
{
"action": "action_noop"
}
],
"all_filters_failed": [
{
"action": "action_dailyReport",
"args": { "level": "OTHER", "message": "[{PRIORITY}/{SYSLOG_IDENTIFIER}] {_UID}:{_GID}@{_HOSTNAME}:{_CMDLINE} ({_SYSTEMD_UNIT})\n{MESSAGE}" }
}
]
},
"email": {
"from": "pyruse@example.org",
"to": [
"hostmaster@example.org"
],
"subject": "Pyruse Daily Report",
"sendmail": [ "/usr/bin/sendmail", "-t" ]
},
"nftBan": {
"nft": [ "/usr/bin/nft" ]
},
"ipsetBan": {
"ipset": [ "/usr/bin/ipset", "-exist", "-quiet" ]
},
"8bit-message-encoding": "iso-8859-15",
"storage": "/var/lib/pyruse",
"debug": false
}
Reference in New Issue View Git Blame Copy Permalink