Lightweight replacement to both epylog and fail2ban.
 
 
Go to file
Y 6f557f347e Avoid SMTP errors (lines >998 characters) using quoted-printable 2018-02-05 21:43:54 +01:00
extra CAP_SYS_ADMIN needed for running commands in a container (nsenter) 2018-02-05 19:30:48 +01:00
pyruse Avoid SMTP errors (lines >998 characters) using quoted-printable 2018-02-05 21:43:54 +01:00
tests Avoid SMTP errors (lines >998 characters) using quoted-printable 2018-02-05 21:43:54 +01:00
.gitignore optionally store names taken from the configuration file to ease debugging 2018-01-31 12:58:26 +01:00
LICENSE init 2017-12-15 19:41:31 +01:00
README.md setup and configuration information 2017-12-17 15:43:47 +01:00
TODO.md switch from Step.run() recursion to Step.run()-in-a-loop to avoid too-deep call stacks 2018-02-05 19:30:48 +01:00

README.md

Python peruser of systemd-journal

This program is intended to be used as a lightweight replacement for both epylog and fail2ban.

The wanted features are these:

  • Peruse all log entries from systemds journal, and only those (ie: no log files).
  • Passively wait on new entries; no active polling.
  • Filter-out uninteresting log lines according to the settings.
  • Act on matches in the journal, with some pre-defined actions.
  • Create a daily report with 2 parts:
    • events of interest (according to the settings),
    • and other non-filtered-out log entries.
  • Send an immediate email when something important happens (according to the settings).

Interesting filtering entries are:

  • _TRANSPORT: how the log entry got to the journal (stdout, syslog, journal)
  • PRIORITY: see https://en.wikipedia.org/wiki/Syslog#Severity_level
  • SYSLOG_FACILITY: see https://en.wikipedia.org/wiki/Syslog#Facility
  • _CAP_EFFECTIVE: effective capabilities as an hexadecimal mask
  • _BOOT_ID: boot identifier (may be used to detect reboots)
  • _MACHINE_ID: internal systemd ID for the machine where the log entry occurred
  • _HOSTNAME: short hostname of the machine where the log entry occurred
  • _UID: user ID of the systemd service that produced the log entry
  • _GID: group ID of the systemd service that produced the log entry
  • SYSLOG_IDENTIFIER: service name as reported to the “syslog” API
  • _COMM: name of the command that produced the log entry
  • _EXE: path to the executable file launched by systemd
  • _SYSTEMD_CGROUP: cgroup of the service, eg. /system.slice/systemd-uwsgi.slice/uwsgi@nextcloud.service
  • _SYSTEMD_UNIT: name of the systemd unit that produced the log entry
  • _SYSTEMD_SLICE: name of the systemd slice
  • _CMDLINE: process name as reported by the main process of the systemd service
  • _PID: process ID of the systemd units main process
  • MESSAGE: the actual message of the log entry
  • __REALTIME_TIMESTAMP: Python datetime of the log entry, formatted as: YYYY-MM-DD HH:MM:SS:µµµµµµ

The /etc/pyruse directory is where system-specific files are looked-for:

  • the pyruse.json file that contains the configuration,
  • the pyruse/actions and pyruse/filters subfolders, which may contain additional actions and filters.

Instead of using /etc/pyruse, an alternate directory may be specified with the PYRUSE_EXTRA environment variable.