| author | Tero Marttila <terom@paivola.fi> |
| Sun, 10 Feb 2013 16:52:51 +0200 | |
| changeset 209 | cf883e2e1bff |
| parent 103 | 34a13d0db4a0 |
| permissions | -rw-r--r-- |
|
103
34a13d0db4a0
syslog.conf.dist: parse pam service messages, and ignore normal sudo messages
Tero Marttila <terom@paivola.fi>
parents:
97
diff
changeset
|
1 |
#irk = irc://syslog@irc-test/test |
|
48
40ccb8d3c96e
pvl.verkko-syslog: syslog -> irker gateway
Tero Marttila <terom@fixme.fi>
parents:
diff
changeset
|
2 |
|
|
76
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
3 |
# TODO: implements meta-attrs across rule tree to classify hosts? |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
4 |
#[tag] |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
5 |
# [[puppetmaster]] |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
6 |
# host = guru |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
7 |
# |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
8 |
# [[auth-high]] |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
9 |
# host = guru |
|
48
40ccb8d3c96e
pvl.verkko-syslog: syslog -> irker gateway
Tero Marttila <terom@fixme.fi>
parents:
diff
changeset
|
10 |
|
|
76
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
11 |
# auth on normal hosts |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
12 |
[auth] |
|
91
171bd0432056
syslog.conf: facility is authpriv
Tero Marttila <terom@paivola.fi>
parents:
85
diff
changeset
|
13 |
facility = auth* |
|
48
40ccb8d3c96e
pvl.verkko-syslog: syslog -> irker gateway
Tero Marttila <terom@fixme.fi>
parents:
diff
changeset
|
14 |
|
|
103
34a13d0db4a0
syslog.conf.dist: parse pam service messages, and ignore normal sudo messages
Tero Marttila <terom@paivola.fi>
parents:
97
diff
changeset
|
15 |
[[pam]] |
|
34a13d0db4a0
syslog.conf.dist: parse pam service messages, and ignore normal sudo messages
Tero Marttila <terom@paivola.fi>
parents:
97
diff
changeset
|
16 |
pattern = (?P<pam>pam_\w+)\((?P<pam_service>.+?):(?P<pam_type>.+?)\): (?P<msg>.+) |
|
34a13d0db4a0
syslog.conf.dist: parse pam service messages, and ignore normal sudo messages
Tero Marttila <terom@paivola.fi>
parents:
97
diff
changeset
|
17 |
|
|
34a13d0db4a0
syslog.conf.dist: parse pam service messages, and ignore normal sudo messages
Tero Marttila <terom@paivola.fi>
parents:
97
diff
changeset
|
18 |
# at least debian wheezy's pam_unix syslogs session open/close at LOG_INFO |
|
34a13d0db4a0
syslog.conf.dist: parse pam service messages, and ignore normal sudo messages
Tero Marttila <terom@paivola.fi>
parents:
97
diff
changeset
|
19 |
[[[pam-sudo]]] |
|
34a13d0db4a0
syslog.conf.dist: parse pam service messages, and ignore normal sudo messages
Tero Marttila <terom@paivola.fi>
parents:
97
diff
changeset
|
20 |
pam_service = sudo |
|
34a13d0db4a0
syslog.conf.dist: parse pam service messages, and ignore normal sudo messages
Tero Marttila <terom@paivola.fi>
parents:
97
diff
changeset
|
21 |
severity = info |
|
34a13d0db4a0
syslog.conf.dist: parse pam service messages, and ignore normal sudo messages
Tero Marttila <terom@paivola.fi>
parents:
97
diff
changeset
|
22 |
format = # ignore |
|
34a13d0db4a0
syslog.conf.dist: parse pam service messages, and ignore normal sudo messages
Tero Marttila <terom@paivola.fi>
parents:
97
diff
changeset
|
23 |
|
|
76
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
24 |
[[sudo]] |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
25 |
program = sudo |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
26 |
pattern = (?P<login>\S+) : TTY=(?P<tty>\S+) ; PWD=(?P<pwd>.+?) ; USER=(?P<user>\S+) ; (?:ENV=(?P<env>.+?) ; )?COMMAND=(?P<command>.*) |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
27 |
format = {login}:{tty} - {user}@{host}:{pwd} - {command!r}
|
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
28 |
|
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
29 |
# ignore puppet readshadow on puppetmasters |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
30 |
[[[puppet_readshadow]]] |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
31 |
login = puppet |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
32 |
user = root |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
33 |
command = /usr/bin/getent shadow \w+ |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
34 |
format = # ignore |
| 66 | 35 |
|
|
76
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
36 |
[[[env]]] |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
37 |
env = .+ |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
38 |
format = {login}:{tty} - {user}@{host}:{pwd} - {env}{command!r}
|
| 66 | 39 |
|
|
76
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
40 |
[[sudo-unknown]] |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
41 |
program = sudo |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
42 |
format = {host} {msg}
|
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
43 |
|
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
44 |
# auth on high-sec hosts |
|
78
8deb7d308d18
syslog: fix duplicate section mame in example config
Tero Marttila <terom@paivola.fi>
parents:
76
diff
changeset
|
45 |
[auth-high] |
|
8deb7d308d18
syslog: fix duplicate section mame in example config
Tero Marttila <terom@paivola.fi>
parents:
76
diff
changeset
|
46 |
host = .+ |
|
91
171bd0432056
syslog.conf: facility is authpriv
Tero Marttila <terom@paivola.fi>
parents:
85
diff
changeset
|
47 |
facility = auth* |
|
76
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
48 |
|
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
49 |
# TODO: pubkey, failures? |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
50 |
[[ssh]] |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
51 |
program = sshd |
| 85 | 52 |
pattern = Accepted (?P<auth>.+?) for (?P<user>\S+) from (?P<ip>\S+) port (?P<port>\S+) (?P<proto>\S+) |
53 |
format = SSH {auth} login for {user}@{host} from {ip}
|
|
|
76
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
54 |
|
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
55 |
[[cron]] |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
56 |
program = cron |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
57 |
format = # ignore |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
58 |
|
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
59 |
[[su_nobody]] |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
60 |
program = su |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
61 |
pattern = Successful su for nobody by root|\+ \?\?\? root:nobody |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
62 |
format = # ignore |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
63 |
|
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
64 |
[[all]] |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
65 |
format = {host} {msg}
|
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
66 |
|
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
67 |
# user |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
68 |
[user] |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
69 |
facility = user |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
70 |
|
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
71 |
[[puppet]] |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
72 |
program = puppet |
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
73 |
format = {host} {msg}
|
|
60bdff4bedfb
pvl.syslog.rule: implement proper match/apply support
Tero Marttila <terom@paivola.fi>
parents:
66
diff
changeset
|
74 |