Lightweight replacement to both epylog and fail2ban.
 
 
Go to file
Strykar 8c43300b45 Double quote to prevent globbing
https://www.shellcheck.net/wiki/SC2086

Signed-off-by: Strykar <strykar@masked.invalid>
2022-10-21 05:25:40 +02:00
doc ipset support; fixes #1 2018-03-17 17:46:22 +01:00
extra Double quote to prevent globbing 2022-10-21 05:25:40 +02:00
pyruse ipset support; fixes #1 2018-03-17 17:46:22 +01:00
tests ipset support; fixes #1 2018-03-17 17:46:22 +01:00
.gitignore optionally store names taken from the configuration file to ease debugging 2018-01-31 12:58:26 +01:00
Changelog.md ipset support; fixes #1 2018-03-17 17:46:22 +01:00
LICENSE init 2017-12-15 19:41:31 +01:00
README.md ipset support; fixes #1 2018-03-17 17:46:22 +01:00
TODO.md daily report: see all, none, first, last, or first+last times 2018-02-23 20:24:11 +01:00

README.md

Python peruser of systemd-journal

Summary

This program is intended to be used as a lightweight replacement for both epylog and fail2ban. Its purpose is to peruse the system log entries, warn of important situations, report daily on the latest events, and act on specific patterns (IP address bans…).

The benefits of Pyruse over products of the same kind are:

  • Optimization brought by systemd
    systemd-journal entries play an important role in Pyruse: instead of matching log entries against message patterns only, the whole range of systemds journal fields is available. This allows for the much faster integer comparisons (PRIORITY, _UID…), or even faster comparisons with short strings like the SYSLOG_IDENTIFIER, _SYSTEMD_UNIT, or _HOSTNAME, with the opportunity to test more often for equality, and less for regular expressions.

  • Optimization brought by context
    Programs that peruse the system logs usually apply a set of rules on each log entry, rule after rule, regardless of what can be deduced by the already-applied rules.
    In contrast, each fact learnt by applying a rule in Pyruse can be taken into account so that rules that do not apply are not even considered.
    For example, after matching the SYSLOG_IDENTIFIER of a journal entry to the value sshd, only SSH-related rules are applied, not Nginx-related rules, nor Prosody-related rules.

  • Modularity
    Each filter (ie. a matching step) or action (eg. a ban, an email, etc.) is a Python module with a very simple API. As soon as a new need arises, a module can be written for it.
    For example, to my knowledge, there is no equivalent in any tool of the same scale, for the DNAT-correcting actions now included with Pyruse.

Get Pyruse

Pyruse is packaged for Archlinux. For other distributions, please read the manual installation instructions.

Whenever your upgrade Pyruse, make sure to check the Changelog.

Configuration

The /etc/pyruse directory is where system-specific files are looked-for:

Instead of using /etc/pyruse, an alternate directory may be specified with the PYRUSE_EXTRA environment variable.

Documentation

For more in-depth documentation, please refer to these pages: