irk = irc://syslog@irc-test/test
# TODO: implements meta-attrs across rule tree to classify hosts?
#[tag]
# [[puppetmaster]]
# host = guru
#
# [[auth-high]]
# host = guru
# auth on normal hosts
[auth]
facility = auth*
[[sudo]]
program = sudo
pattern = (?P<login>\S+) : TTY=(?P<tty>\S+) ; PWD=(?P<pwd>.+?) ; USER=(?P<user>\S+) ; (?:ENV=(?P<env>.+?) ; )?COMMAND=(?P<command>.*)
format = {login}:{tty} - {user}@{host}:{pwd} - {command!r}
# ignore puppet readshadow on puppetmasters
[[[puppet_readshadow]]]
login = puppet
user = root
command = /usr/bin/getent shadow \w+
format = # ignore
[[[env]]]
env = .+
format = {login}:{tty} - {user}@{host}:{pwd} - {env}{command!r}
[[sudo-unknown]]
program = sudo
format = {host} {msg}
# auth on high-sec hosts
[auth-high]
host = .+
facility = auth*
# TODO: pubkey, failures?
[[ssh]]
program = sshd
pattern = Accepted (?P<auth>.+?) for (?P<user>\S+) from (?P<ip>\S+) port (?P<port>\S+) (?P<proto>\S+)
format = SSH {auth} login for {user}@{host} from {ip}
[[cron]]
program = cron
format = # ignore
[[su_nobody]]
program = su
pattern = Successful su for nobody by root|\+ \?\?\? root:nobody
format = # ignore
[[all]]
format = {host} {msg}
# user
[user]
facility = user
[[puppet]]
program = puppet
format = {host} {msg}