This program is intended to be used as a lightweight replacement for both epylog and fail2ban. Its purpose is to peruse the system log entries, warn of important situations, report daily on the latest events, and act on specific patterns (IP address bans…).
The benefits of Pyruse over products of the same kind are:
Optimization brought by systemd
systemd-journal entries play an important role in Pyruse: instead of matching log entries against message patterns only, the whole range of systemd’s journal fields is available. This allows for the much faster integer comparisons (
_UID…), or even faster comparisons with short strings like the
_HOSTNAME, with the opportunity to test more often for equality, and less for regular expressions.
Optimization brought by context
Programs that peruse the system logs usually apply a set of rules on each log entry, rule after rule, regardless of what can be deduced by the already-applied rules.
In contrast, each fact learnt by applying a rule in Pyruse can be taken into account so that rules that do not apply are not even considered.
For example, after matching the
SYSLOG_IDENTIFIER of a journal entry to the value
sshd, only SSH-related rules are applied, not Nginx-related rules, nor Prosody-related rules.
Each filter (ie. a matching step) or action (eg. a ban, an email, etc.) is a Python module with a very simple API. As soon as a new need arises, a module can be written for it.
For example, to my knowledge, there is no equivalent in any tool of the same scale, for the DNAT-correcting actions now included with Pyruse.
Whenever your upgrade Pyruse, make sure to check the Changelog.
/etc/pyruse directory is where system-specific files are looked-for:
pyruse.jsonfile that contains the configuration,
pyruse/filterssubfolders, which may contain additional actions and filters.
Instead of using
/etc/pyruse, an alternate directory may be specified with the
PYRUSE_EXTRA environment variable.
For more in-depth documentation, please refer to these pages: