yves
/
pyruse
1
0
Fork 1
Code Issues 1 Pull Requests Releases Wiki Activity
pyruse/extra/examples/full_pyruse.json

1043 lines
36 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

{
"actions": {
"Filter-out uninteresting services entries": [
{
"filter": "filter_greaterOrEquals",
"args": { "field": "PRIORITY", "value": 4 }
},
{
"filter": "filter_in",
"args": { "field": "_SYSTEMD_UNIT", "values": [ "gitea.service", "movim.service", "postgresql.service", "man-db.service", "rpc-statd.service", "rpc-statd-notify.service", "lvm2-monitor.service", "lvm2-pvscan@8:1.service", "lvm2-pvscan@179:2.service", "systemd-resolved.service", "systemd-logind.service", "nfs-server.service", "systemd-networkd.service", "systemd-journald.service", "dbus.service", "nfs-idmapd.service", "slapd.service", "systemd-udevd.service" ] },
"then": "… NOOP"
}
],
"Filter-out uninteresting generic services entries": [
{
"filter": "filter_greaterOrEquals",
"args": { "field": "PRIORITY", "value": 4 }
},
{
"filter": "filter_pcreAny",
"args": { "field": "_SYSTEMD_UNIT", "re": [ "^systemd-fsck@" ] },
"then": "… NOOP"
}
],
"Notify of unsecured XMPP servers": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "prosody.service" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "->(.*) closed: Encrypted server-to-server communication is required but was not offered$", "save": [ "xmppServer" ] },
"else": "… NOOP if PRIORITY 3+"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "XMPP server {xmppServer} did not provide a secure connection" }
}
],
"Detect request errors with Nextcloud": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "uwsgi@nextcloud.service" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^\\[[^]]+\\] ([^ ]+) .*\\] ([A-Z]+ /[^?]*)(?:\\?.*)? => .*\\(HTTP/1.1 5..\\)", "save": [ "thatIP", "HTTPrequest" ] },
"else": "… Discard Nextcloud coding errors"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "IP {thatIP} failed to {HTTPrequest} on Nextcloud" }
}
],
"… Discard Nextcloud coding errors": [
{
"filter": "filter_in",
"args": { "field": "PRIORITY", "values": [ 2, 3 ] },
"then": "… NOOP",
"else": "… Discard Nextcloud-to-LDAP bind errors"
}
],
"… Discard Nextcloud-to-LDAP bind errors": [
{
"filter": "filter_equals",
"args": { "field": "MESSAGE", "value": "{user_ldap} Bind failed: 49: Invalid credentials" },
"then": "… NOOP",
"else": "… Detect Nextcloud failed logins"
}
],
"… Detect Nextcloud failed logins": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^\\{core\\} Login failed: '(.*)' \\(Remote IP: '(.*)'\\)", "save": [ "thatUser", "thatIP" ] },
"else": "… Let Nextcloud core messages pass-through"
},
{
"filter": "filter_userExists",
"args": { "field": "thatUser" },
"else": "… Report inexisting Nextcloud user"
},
{
"action": "action_email",
"args": { "subject": "Pyruse Warning", "message": "WARNING: Failed login as {thatUser}@{_HOSTNAME} on Nextcloud on {__REALTIME_TIMESTAMP}." }
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Failed login as {thatUser}@{_HOSTNAME} on Nextcloud" },
"then": "… Detect repeated Nextcloud login failures"
}
],
"… Report inexisting Nextcloud user": [
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Failed login as {thatUser}@{_HOSTNAME} on Nextcloud" },
"then": "… Detect repeated Nextcloud login failures"
}
],
"… Detect repeated Nextcloud login failures": [
{
"action": "action_counterRaise",
"args": { "counter": "https", "for": "thatIP", "keepSeconds": 300, "save": "IPfailures" }
},
{
"filter": "filter_greaterOrEquals",
"args": { "field": "IPfailures", "value": 6 },
"else": "… NOOP"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Ban of IP {thatIP} for HTTP abuse" }
},
{
"action": "action_nftBan",
"args": { "IP": "thatIP", "banSeconds": 900, "nftSetIPv4": "Inet4 https_ban", "nftSetIPv6": "Inet6 https_ban" }
}
],
"… Let Nextcloud core messages pass-through": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^\\{" },
"else": "… Report Nextcloud failed state"
}
],
"… Report Nextcloud failed state": [
{
"filter": "filter_equals",
"args": { "field": "MESSAGE", "value": "uwsgi@nextcloud.service: Unit entered failed state." },
"else": "… Report insufficient buffer-size for Nextcloud QUERY_STRING"
},
{
"action": "action_email",
"args": { "subject": "Nextcloud crashed", "message": "Service uwsgi@nextcloud.service failed on {_HOSTNAME} on {__REALTIME_TIMESTAMP}." }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Service uwsgi@nextcloud.service failed on {_HOSTNAME}" }
}
],
"… Report insufficient buffer-size for Nextcloud QUERY_STRING": [
{
"filter": "filter_equals",
"args": { "field": "MESSAGE", "value": "not enough buffer space to add QUERY_STRING variable, consider increasing it with the --buffer-size option" },
"else": "… NOOP if PRIORITY 5+"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Nextcloud query failed because the buffer-size was too low" }
}
],
"Warn of sudo errors": [
{
"filter": "filter_pcre",
"args": { "field": "_SYSTEMD_UNIT", "re": "^session-.*\\.scope$" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^ (.*) : user NOT in sudoers ;", "save": [ "thatUser" ] },
"else": "… Warn of su errors"
},
{
"action": "action_email",
"args": { "subject": "SUDO error!", "message": "Sudo error from user {thatUser} on {_HOSTNAME} on {__REALTIME_TIMESTAMP}." }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Sudo error from user {thatUser} on {_HOSTNAME}" }
}
],
"… Warn of su errors": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^FAILED SU \\([^)]+\\) (.*) on [^ ]+$", "save": [ "thatUser" ] },
"else": "… Notify of su logins"
},
{
"action": "action_email",
"args": { "subject": "SU error!", "message": "SU error from user {thatUser} on {_HOSTNAME} on {__REALTIME_TIMESTAMP}." }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "SU error from user {thatUser} on {_HOSTNAME}" }
}
],
"… Notify of su logins": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^\\(to (.*)\\) (.*) on [^ ]+$", "save": [ "thatUser", "fromUser" ] },
"else": "… Notify of sudo logins"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Login as {thatUser}@{_HOSTNAME} by {fromUser}:su" }
}
],
"… Notify of sudo logins": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^pam_unix\\(sudo:session\\): session opened for user (.*) by [^(]*\\(uid=([^)]+)\\)$", "save": [ "thatUser", "fromUID" ] },
"else": "… Notify of Nextcloud upgrades"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Login as {thatUser}@{_HOSTNAME} by {fromUID}:sudo" }
}
],
"… Notify of Nextcloud upgrades": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^\\{core\\} starting upgrade from (.*) to (.*)$", "save": [ "fromVers", "toVers" ] },
"else": "… NOOP if PRIORITY 3+"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Nextcloud upgrade from {fromVers} to {toVers}" }
}
],
"Discard HTTP debug entries": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "nginx.service" }
},
{
"filter": "filter_greaterOrEquals",
"args": { "field": "PRIORITY", "value": 6 },
"then": "… NOOP",
"else": "… Detect successful HTTPS logins"
}
],
"… Detect successful HTTPS logins": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^.{19} \\[notice\\] [0-9]*#[0-9]*: \\*[0-9]* \\[lua\\] .* authenticate\\(\\): Connected as: ([^,]*), client: ([^,]*),", "save": [ "thatUser", "thatIP" ] },
"else": "… Detect failed HTTPS logins"
},
{
"action": "action_counterReset",
"args": { "counter": "https", "for": "thatIP", "graceSeconds": 432000 }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Login as {thatUser}@{_HOSTNAME} by HTTPS" }
}
],
"… Detect failed HTTPS logins": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "Redirect to: https://[^/]*yalis\\.fr/sso/\\?r=(.*), client: (?P<thatIP>.*), server: , request: \"POST /sso/\\?r=\\1 HTTP/1\\.1\", host: \"[^/]*yalis\\.fr\", referrer: \"https://[^/]*yalis\\.fr/sso/\\?r=\\1\"$" },
"else": "… Detect abnormal HTTP 404 errors"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Failed login on {_HOSTNAME} by HTTPS" },
"then": "… Detect repeated HTTPS failures"
}
],
"… Detect abnormal HTTP 404 errors": [
{
"filter": "filter_pcreAny",
"args": { "field": "MESSAGE", "re": [
"open\\(\\) \"[^\"]*\\.(?:cgi|php|pl|py|sh)\" failed \\(2: No such file or directory\\), client: (?P<thatIP>[^,]+),",
"Unable to open primary script: .*\\.(?:cgi|php|pl|py|sh) \\(No such file or directory[^,]+, client: (?P<thatIP>[^,]+),"
] },
"then": "… Detect repeated HTTPS failures",
"else": "… Immediate warning for connectivity errors"
}
],
"… Detect repeated HTTPS failures": [
{
"action": "action_counterRaise",
"args": { "counter": "https", "for": "thatIP", "keepSeconds": 900, "save": "IPfailures" }
},
{
"filter": "filter_greaterOrEquals",
"args": { "field": "IPfailures", "value": 6 },
"else": "… NOOP"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Ban of IP {thatIP} for HTTP abuse" }
},
{
"action": "action_nftBan",
"args": { "IP": "thatIP", "banSeconds": 7200, "nftSetIPv4": "Inet4 https_ban", "nftSetIPv6": "Inet6 https_ban" }
}
],
"… Immediate warning for connectivity errors": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^.{19} \\[crit\\] [0-9]*#[0-9]*: \\*[0-9]* connect\\(\\) to ([^ ]*) failed", "save": [ "nginxUpstream" ] },
"else": "… Immediate warning for module version errors"
},
{
"action": "action_email",
"args": { "subject": "Nginx connectivity error", "message": "Nginx could not connect to {nginxUpstream} on {__REALTIME_TIMESTAMP}." }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Nginx could not connect to {nginxUpstream}" }
}
],
"… Immediate warning for module version errors": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "module \"([^\"]+)\" version [0-9]+ instead of [0-9]+ in /.*$", "save": [ "badModule" ] },
"else": "… Immediate warning for LUA errors"
},
{
"action": "action_email",
"args": { "subject": "Bad Nginx module version", "message": "Nginx could not load a module on {_HOSTNAME}:\n{MESSAGE}." }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Nginx could not load module {badModule}" }
}
],
"… Immediate warning for LUA errors": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "runtime error: ([^ ]+): (.*)$", "save": [ "luaFile", "luaError" ] },
"else": "… Warn of upstream HTTP disconnections"
},
{
"action": "action_email",
"args": { "subject": "Lua error in Nginx", "message": "Lua error at {luaFile}:\n{MESSAGE}." }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Nginx file {luaFile} ran into error: {luaError}" }
}
],
"… Warn of upstream HTTP disconnections": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "(?:upstream prematurely closed connection|Connection reset by peer\\)) while reading response header from upstream.*, request: \"([^?\"]+)[^\"]*\", upstream: \"([^\"]+)\"", "save": [ "failedRequest", "failedUpstream" ] },
"else": "… NOOP if PRIORITY 3+"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Nginx got disconnected from {failedUpstream} on request {failedRequest}" }
}
],
"Detect successful IMAP logins": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "dovecot.service" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^imap-login: Login: user=<([^>]+)>, method=[^,]*, rip=([^,]+),", "save": [ "thatUser", "thatIP" ] },
"else": "… Detect IMAP resource hogs"
},
{
"action": "action_counterReset",
"args": { "counter": "mail", "for": "thatIP", "graceSeconds": 432000 }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Login as {thatUser}@{_HOSTNAME} by IMAP" }
}
],
"… Detect IMAP resource hogs": [
{
"filter": "filter_pcreAny",
"args": { "field": "MESSAGE", "re": [
"^imap-login: Disconnected \\(no auth attempts in [0-9]{2,} secs\\): user=<>, rip=(?P<thatIP>[^,]+),",
"^imap-login: Disconnected: Too many invalid commands.*, rip=(?P<thatIP>[^,]+),"
] },
"then": "… Detect repeated mail failures",
"else": "… Detect failed IMAP logins"
}
],
"… Detect failed IMAP logins": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^imap-login: Disconnected \\(auth failed, [0-9]+ attempts in [0-9]+ secs\\): user=<([^>]*)>.*, rip=([^,]+),", "save": [ "thatUser", "thatIP" ] },
"else": "… Discard Dovecot debug entries"
},
{
"filter": "filter_userExists",
"args": { "field": "thatUser" },
"else": "… Report inexisting IMAP user"
},
{
"action": "action_email",
"args": { "subject": "Pyruse Warning", "message": "WARNING: Failed login as {thatUser}@{_HOSTNAME} by IMAP on {__REALTIME_TIMESTAMP}." }
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Failed login as {thatUser}@{_HOSTNAME} by IMAP" },
"then": "… Detect repeated mail failures"
}
],
"… Report inexisting IMAP user": [
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Failed login as {thatUser}@{_HOSTNAME} by IMAP" },
"then": "… Detect repeated mail failures"
}
],
"… Detect repeated mail failures": [
{
"action": "action_counterRaise",
"args": { "counter": "mail", "for": "thatIP", "keepSeconds": 86400, "save": "IPfailures" }
},
{
"filter": "filter_greaterOrEquals",
"args": { "field": "IPfailures", "value": 4 },
"else": "… NOOP"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Ban of IP {thatIP} for mail abuse" }
},
{
"action": "action_nftBan",
"args": { "IP": "thatIP", "banSeconds": 432000, "nftSetIPv4": "Inet4 mail_ban", "nftSetIPv6": "Inet6 mail_ban" }
}
],
"… Discard Dovecot debug entries": [
{
"filter": "filter_greaterOrEquals",
"args": { "field": "PRIORITY", "value": 4 },
"then": "… NOOP",
"else": "… Warn of Dovecot-to-LDAP errors"
}
],
"… Warn of Dovecot-to-LDAP errors": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^auth: Error: LDAP: Can't connect to server: ldapi:" },
"else": "… NOOP"
},
{
"action": "action_email",
"args": { "subject": "Dovecot-to-LDAP error", "message": "Dovecot could connect to LDAP (ldapi) on {__REALTIME_TIMESTAMP}." }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Dovecot could connect to LDAP (ldapi)" }
}
],
"Notify of Exim smarthost deliveries": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "exim.service" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": " => [^ ]+ R=smarthost T=remote_smtp H=([^ ]+ \\[[^]]+\\]) C=\"250 ", "save": [ "smarthost" ] },
"else": "… Frozen Exim email"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Email message sent through {smarthost}" }
}
],
"… Frozen Exim email": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "Message is frozen$" },
"else": "… Warn of a failure for Exim"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Frozen email on {_HOSTNAME}." }
}
],
"… Warn of a failure for Exim": [
{
"filter": "filter_pcreAny",
"args": { "field": "MESSAGE", "re": [
"(?P<failReason>all spamd servers failed)$",
"(?P<failReason>Network is unreachable)$"
] },
"else": "… Immediate ban of crackers"
},
{
"action": "action_email",
"args": { "subject": "Exim detected a failure", "message": "Failure detected by Exim on {_HOSTNAME} on {__REALTIME_TIMESTAMP}:\n{MESSAGE}" }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Exim detected a failure ({failReason})" }
}
],
"… Immediate ban of crackers": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "\\[([^ ]+)\\] NULL character\\(s\\) present \\(shown as '\\?'\\)$", "save": [ "thatIP" ] },
"else": "… Detect some SMTP spammers"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Ban of IP {thatIP} for mail abuse" }
},
{
"action": "action_nftBan",
"args": { "IP": "thatIP", "banSeconds": 432000, "nftSetIPv4": "Inet4 mail_ban", "nftSetIPv6": "Inet6 mail_ban" }
}
],
"… Detect some SMTP spammers": [
{
"filter": "filter_pcreAny",
"args": { "field": "MESSAGE", "re": [
"\\[(?P<thatIP>[^ ]+)\\] AUTH command used when not advertised$",
"H=(?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\] .* rejected after DATA: (?:maximum allowed line length is [0-9]+ octets, got [0-9]+|This message scored [0-9.]+ spam points\\.)$",
"^.{19} login_server authenticator failed for (?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]: 535 Incorrect authentication data",
"^.{19} H=(?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\] .* relay not permitted$",
"^.{19} SMTP protocol synchronization error.*: rejected .* H=(?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]",
"\\[(?P<thatIP>[^ ]+)\\] rejected EXPN root$",
"unqualified verify rejected: .* H=(?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]$",
"rejected because (?P<thatIP>[^ ]+) is in a black list at",
"^.{19} rejected [EH]{2}LO from (?:\\([^)]*\\) )?\\[(?P<thatIP>[^]]+)\\]: syntactically invalid",
"\\[(?P<thatIP>[^ ]+)\\] dropped: too many nonmail commands"
] },
"then": "… Detect repeated mail failures",
"else": "… NOOP if PRIORITY 5+"
}
],
"Notify of new custom systemd services": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "init.scope" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^Started (/.*)\\.$", "save": [ "customCmd" ] },
"else": "… Warn of unclean mounts"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Custom systemd service started: {customCmd}" }
}
],
"… Warn of unclean mounts": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^Directory (/.*) to mount over is not empty, mounting anyway\\.$", "save": [ "mountPath" ] },
"else": "… Warn of time-outs"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Device mounted on non-empty {mountPath}" }
}
],
"… Warn of time-outs": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^(/.*): Start operation timed out\\. Terminating\\.$", "save": [ "systemdUnit" ] },
"else": "… Warn of failed mounts"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Unit {systemdUnit} timed out while starting" }
}
],
"… Warn of failed mounts": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^(/.*\\.mount): Failed ", "save": [ "mountUnit" ] },
"else": "… Discard other init.scope debug entries"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Unit {mountUnit} failed to mount" }
}
],
"… Discard other init.scope debug entries": [
{
"filter": "filter_greaterOrEquals",
"args": { "field": "PRIORITY", "value": 4 },
"then": "… NOOP",
"else": "… Notify of systemd failed states"
}
],
"… Notify of systemd failed states": [
{
"action": "action_email",
"args": { "subject": "systemd failure", "message": "On {_HOSTNAME} on {__REALTIME_TIMESTAMP}:\n{MESSAGE}" }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "{MESSAGE}" }
}
],
"Warn of Nextcloud maintenance errors": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "nextcloud-maintenance.service" }
},
{
"filter": "filter_equals",
"args": { "field": "MESSAGE", "value": "Cannot write into \"config\" directory!" },
"else": "… NOOP if PRIORITY 5+"
},
{
"action": "action_email",
"args": { "subject": "Nextcloud config is read-only!", "message": "Nextcloud maintenance could not write to the configuration file on {__REALTIME_TIMESTAMP}." }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Nextcloud maintenance could not write to the configuration file" }
}
],
"Detect HAProxy problems": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "haproxy.service" },
"then": "… NOOP if PRIORITY 5+"
}
],
"Notify of user logins": [
{
"filter": "filter_pcre",
"args": { "field": "_SYSTEMD_UNIT", "re": "^user@" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "session opened for user (.*) by root\\(uid=0\\)$", "save": [ "thatUser" ] },
"else": "… NOOP if PRIORITY 4+"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Login as {thatUser}@{_HOSTNAME} by systemd-user:session" }
}
],
"Warn of minidlna errors while reading media files": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "minidlna.service" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^metadata\\.c:.*Opening (.*) failed! \\[", "save": [ "torrentName" ] },
"else": "… Notify of unhandled formats"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Minidlna error for {torrentName}" }
}
],
"… Notify of unhandled formats": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^metadata\\.c:[0-9]+: warn: (.*): Unhandled format: (.*)$", "save": [ "torrentName", "mediaFormat" ] },
"else": "… Warn of permission errors for minidlna"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Minidlna does not handle {mediaFormat} for {torrentName}" }
}
],
"… Warn of permission errors for minidlna": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^monitor\\.c:[0-9]+: error: inotify_add_watch\\((.*)\\) \\[Permission non accordée\\]$", "save": [ "torrentName" ] },
"else": "… NOOP if PRIORITY 4+"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Minidlna is not allowed to read {torrentName}" }
}
],
"Warn of package errors with loolwsd": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "loolwsd.service" }
},
{
"filter": "filter_pcreAny",
"args": { "field": "MESSAGE", "re": [
"^/usr/bin/loolwsd: error ",
"^FATAL:",
"^Failed "
] },
"else": "… NOOP"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "CollaboraOnline: {MESSAGE}" }
}
],
"Warn of bad SSH configuration": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "sshd.service" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^/etc/ssh/sshd_config line " },
"else": "… Detect successful SSH logins"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "SSH: {MESSAGE}" }
}
],
"… Detect successful SSH logins": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^Accepted (?:password|publickey) for (.*) from ([^ ]*) port ", "save": [ "thatUser", "thatIP" ] },
"else": "… Detect failed SSH logins"
},
{
"action": "action_counterReset",
"args": { "counter": "sshd", "for": "thatIP", "graceSeconds": 432000 }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Login as {thatUser}@{_HOSTNAME} by SSH" }
}
],
"… Detect failed SSH logins": [
{
"filter": "filter_pcreAny",
"args": { "field": "MESSAGE", "re": [
"^Failed password for (?P<thatUser>.*) from (?P<thatIP>(?!192\\.168\\.1\\.201 )[^ ]*) port",
"^Invalid user (?P<thatUser>.*) from (?P<thatIP>(?!192\\.168\\.1\\.201 )[^ ]*) port",
"^User (?P<thatUser>.*) from (?P<thatIP>(?!192\\.168\\.1\\.201 )[^ ]*) not allowed because not listed in AllowUsers$"
] },
"else": "… Forbid antiquated clients"
},
{
"filter": "filter_userExists",
"args": { "field": "thatUser" },
"else": "… Report inexisting SSH user"
},
{
"action": "action_email",
"args": { "subject": "Pyruse Warning", "message": "WARNING: Failed login as {thatUser}@{_HOSTNAME} by SSH on {__REALTIME_TIMESTAMP}." }
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Failed login as {thatUser}@{_HOSTNAME} by SSH" },
"then": "… Detect repeated SSH login failures"
}
],
"… Report inexisting SSH user": [
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Failed login as {thatUser}@{_HOSTNAME} by SSH" },
"then": "… Detect repeated SSH login failures"
}
],
"… Forbid antiquated clients": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^Unable to negotiate with ((?!192\\.168\\.1\\.201 )[^ ]*) port", "save": [ "thatIP" ] },
"then": "… Detect repeated SSH login failures",
"else": "… NOOP if PRIORITY 6+"
}
],
"… Detect repeated SSH login failures": [
{
"action": "action_counterRaise",
"args": { "counter": "sshd", "for": "thatIP", "keepSeconds": 86400, "save": "IPfailures" }
},
{
"filter": "filter_greaterOrEquals",
"args": { "field": "IPfailures", "value": 4 },
"else": "… NOOP"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Ban of IP {thatIP} for SSH abuse" }
},
{
"action": "action_nftBan",
"args": { "IP": "thatIP", "banSeconds": 432000, "nftSetIPv4": "Inet4 sshd_ban", "nftSetIPv6": "Inet6 sshd_ban" }
}
],
"Warn of SpamAssassin update failures": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "spamassassin-update.service" }
},
{
"filter": "filter_equals",
"args": { "field": "MESSAGE", "value": "channel: could not find working mirror, channel failed" },
"else": "… NOOP if PRIORITY 4+"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "SpamAssassin update failed" }
}
],
"Warn of systemd-nspawn failures": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "systemd-nspawn@seuil3.service" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^(?:\\[FAILED\\] )?Failed to" },
"else": "… NOOP if PRIORITY 4+"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "seuil3: {MESSAGE}" }
}
],
"Warn of local authentication errors": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "nslcd.service" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^\\[[^]]+\\] <([^>]+)> .*Can't contact LDAP server: (.*)$", "save": [ "nslcdClient", "nslcdError" ] },
"else": "… NOOP if PRIORITY 3+"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "nslcd: {nslcdError} for {nslcdClient}@{_HOSTNAME}" }
}
],
"Discard useless nfs-mountd entries": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "nfs-mountd.service" },
"then": "… NOOP if PRIORITY 5+"
}
],
"Notify of certificate renewals": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "dehydrated.service" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^ (?:\\+Requesting |rewrite )" },
"else": "… Warn of dehydrated errors"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "ACME: {MESSAGE}" }
}
],
"… Warn of dehydrated errors": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "ERROR|WARNING|FAILURE" },
"else": "… NOOP"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "ACME: {MESSAGE}" }
}
],
"Warn of core dumps": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "of user (.*) dumped core\\.$", "save": [ "thatUser" ] },
"else": "… Discard other coredump entries"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "Core dump for {thatUser}@{_HOSTNAME}" }
}
],
"… Discard other coredump entries": [
{
"filter": "filter_pcre",
"args": { "field": "_SYSTEMD_UNIT", "re": "^systemd-coredump@" },
"then": "… NOOP"
}
],
"Discard ddclient debug entries": [
{
"filter": "filter_pcre",
"args": { "field": "_SYSTEMD_UNIT", "re": "^ddclient@" },
"then": "… NOOP if PRIORITY 6+"
}
],
"Notify of important PHP debug messages": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "php-fpm.service" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^\\[[A-Z](?!OTICE)(?!EBUG)" },
"else": "… Notify of PHP error messages"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "PHP: {MESSAGE}" }
}
],
"… Notify of PHP error messages": [
{
"filter": "filter_lowerOrEquals",
"args": { "field": "PRIORITY", "value": 3 },
"else": "… NOOP"
},
{
"action": "action_dailyReport",
"args": { "level": "WARN", "message": "PHP: {MESSAGE}" }
}
],
"Notify of bad torrents": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "transmission.service" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^\\[.{23}\\] (.*[^:]) (?:Scrape error: )?Could not connect to tracker", "save": [ "torrentName" ] },
"else": "… Warn of Transmission errors"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Transmission could not connect to tracker for {torrentName}" }
}
],
"… Warn of Transmission errors": [
{
"filter": "filter_pcreAny",
"args": { "field": "MESSAGE", "re": [
"(?P<errMsg>All nameservers have failed) \\([^():]+:[0-9]+\\)$",
"(?P<errMsg>No such file or directory) \\([^():]+:[0-9]+\\)$",
"(?P<errMsg>Too many open files) \\([^():]+:[0-9]+\\)$",
"(?P<errMsg>Permission denied) \\([^():]+:[0-9]+\\)$"
] },
"else": "… Filter-out uninteresting Transmission events"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Transmission error: {errMsg}" }
}
],
"… Filter-out uninteresting Transmission events": [
{
"filter": "filter_pcreAny",
"args": { "field": "MESSAGE", "re": [
"^\\[.{23}\\] (?:Bound socket|Cache Maximum cache size set to|RPC Server (?:Adding|Serving|Started|Stopped)|DHT (?:Bootstrapping|Finished bootstrapping|DHT initialized|Initializing|Reusing|Done uninitializing DHT|Saving|Not saving nodes|Uninitializing)|Port Forwarding Stopped|Saved \"|Using settings from|Watching \"|Searching for web interface file \"|Deleting input \\.torrent file|Parsing \\.torrent file successful|watchdir Callback decided to accept|Changed open file limit|(?:SO_RCVBUF|SO_SNDBUF) size is|Closing libevent|Loaded [0-9]+ torrent|watchdir Callback decided|Nameserver |Preallocated file \"|UDP Couldn't parse UDP tracker packet)",
"(?:Queued for verification|bytes per second\\)|[vV]erifying torrent\\.*|Announcing to tracker|Retrying (?:announce|scrape) in [0-9]+ seconds\\.|seconds from now\\.|Got [0-9]+ peers from tracker|checking just-completed piece [0-9]+|Starting IPv4 DHT announce \\([^)]+\\)|IPv4 peers from DHT|Pausing|Removing torrent|started|peers from resume file|\\.resume\"|files marked for download|Requested download is not authorized for use with this tracker\\.|Connection failed|\\(No Response\\)|(?:State changed from|moving) \"[^\"]+\" to \"[^\"]+\"|DHT announce done|failed its checksum test|403 \\(Forbidden\\)|404 \\(Not Found\\)|Tracker did not respond) \\([^():]+:[0-9]+\\)$"
] },
"then": "… NOOP"
}
],
"Notify of identified SPAM messages": [
{
"filter": "filter_equals",
"args": { "field": "_SYSTEMD_UNIT", "value": "spamassassin.service" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^spamd: identified spam" },
"else": "… NOOP if PRIORITY 4+"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Spam identified" }
}
],
"Notify of getty user logins": [
{
"filter": "filter_pcre",
"args": { "field": "_SYSTEMD_UNIT", "re": "^getty@" }
},
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "session opened for user (.*) by LOGIN\\(uid=0\\)$", "save": [ "thatUser" ] },
"else": "… Immediate warning for getty failures"
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Login as {thatUser}@{_HOSTNAME} by login:session" }
}
],
"… Immediate warning for getty failures": [
{
"filter": "filter_pcre",
"args": { "field": "MESSAGE", "re": "^FAILED LOGIN " },
"else": "… NOOP if PRIORITY 5+"
},
{
"action": "action_email",
"args": { "subject": "Failed getty login", "message": "Failed getty login on {_HOSTNAME} on {__REALTIME_TIMESTAMP}:\n{MESSAGE}" }
},
{
"action": "action_dailyReport",
"args": { "level": "INFO", "message": "Failed getty login on {_HOSTNAME}" }
}
],
"… NOOP if PRIORITY 3+": [
{
"filter": "filter_greaterOrEquals",
"args": { "field": "PRIORITY", "value": 3 },
"then": "… NOOP"
}
],
"… NOOP if PRIORITY 4+": [
{
"filter": "filter_greaterOrEquals",
"args": { "field": "PRIORITY", "value": 4 },
"then": "… NOOP"
}
],
"… NOOP if PRIORITY 5+": [
{
"filter": "filter_greaterOrEquals",
"args": { "field": "PRIORITY", "value": 5 },
"then": "… NOOP"
}
],
"… NOOP if PRIORITY 6+": [
{
"filter": "filter_greaterOrEquals",
"args": { "field": "PRIORITY", "value": 6 },
"then": "… NOOP"
}
],
"… NOOP": [
{
"action": "action_noop"
}
],
"all_filters_failed": [
{
"action": "action_dailyReport",
"args": { "level": "OTHER", "message": "[{PRIORITY}/{SYSLOG_IDENTIFIER}] {_UID}:{_GID}@{_HOSTNAME}:{_CMDLINE} ({_SYSTEMD_UNIT})\n {MESSAGE}" }
}
]
},
"email": {
"from": "pyruse@example.org",
"to": [
"hostmaster@example.org"
],
"subject": "Pyruse Daily Report",
"sendmail": [ "/usr/bin/sendmail", "-t" ]
},
"nftBan": {
"nft": [ "/usr/bin/nft" ]
},
"8bit-message-encoding": "iso-8859-15",
"storage": "/var/lib/pyruse",
"debug": false
}
Reference in New Issue View Git Blame Copy Permalink