irk     = irc://syslog@irc-test/test

# TODO: implements meta-attrs across rule tree to classify hosts?
#[tag]
#    [[puppetmaster]]
#        host    = guru
#
#    [[auth-high]]
#        host    = guru

# auth on normal hosts
[auth]
    facility    = auth*

    [[sudo]]
    program     = sudo
    pattern     = (?P<login>\S+) : TTY=(?P<tty>\S+) ; PWD=(?P<pwd>.+?) ; USER=(?P<user>\S+) ; (?:ENV=(?P<env>.+?) ; )?COMMAND=(?P<command>.*)
    format      = {login}:{tty} - {user}@{host}:{pwd} - {command!r}
    
    # ignore puppet readshadow on puppetmasters
    [[[puppet_readshadow]]]
    login       = puppet
    user        = root
    command     = /usr/bin/getent shadow \w+
    format      = # ignore

    [[[env]]]
    env         = .+
    format      = {login}:{tty} - {user}@{host}:{pwd} - {env}{command!r}

    [[sudo-unknown]]
    program     = sudo
    format      = {host} {msg}
    
# auth on high-sec hosts
[auth-high]
    host        = .+
    facility    = auth*
    
    # TODO: pubkey, failures?
    [[ssh]]
    program     = sshd
    pattern     = Accepted (?P<auth>.+?) for (?P<user>\S+) from (?P<ip>\S+) port (?P<port>\S+) (?P<proto>\S+)
    format      = SSH {auth} login for {user}@{host} from {ip}

    [[cron]]
    program     = cron
    format      = # ignore

    [[su_nobody]]
    program     = su
    pattern     = Successful su for nobody by root|\+ \?\?\? root:nobody
    format      = # ignore

    [[all]]
    format      = {host} {msg}

# user
[user]
    facility    = user

    [[puppet]]
    program     = puppet
    format      = {host} {msg}