equal
deleted
inserted
replaced
|
1 irk = irc://syslog@irc-test/test |
|
2 |
|
3 # TODO: implements meta-attrs across rule tree to classify hosts? |
|
4 #[tag] |
|
5 # [[puppetmaster]] |
|
6 # host = guru |
|
7 # |
|
8 # [[auth-high]] |
|
9 # host = guru |
|
10 |
|
11 # auth on normal hosts |
|
12 [auth] |
|
13 facility = auth* |
|
14 |
|
15 [[sudo]] |
|
16 program = sudo |
|
17 pattern = (?P<login>\S+) : TTY=(?P<tty>\S+) ; PWD=(?P<pwd>.+?) ; USER=(?P<user>\S+) ; (?:ENV=(?P<env>.+?) ; )?COMMAND=(?P<command>.*) |
|
18 format = {login}:{tty} - {user}@{host}:{pwd} - {command!r} |
|
19 |
|
20 # ignore puppet readshadow on puppetmasters |
|
21 [[[puppet_readshadow]]] |
|
22 login = puppet |
|
23 user = root |
|
24 command = /usr/bin/getent shadow \w+ |
|
25 format = # ignore |
|
26 |
|
27 [[[env]]] |
|
28 env = .+ |
|
29 format = {login}:{tty} - {user}@{host}:{pwd} - {env}{command!r} |
|
30 |
|
31 [[sudo-unknown]] |
|
32 program = sudo |
|
33 format = {host} {msg} |
|
34 |
|
35 # auth on high-sec hosts |
|
36 [auth-high] |
|
37 host = .+ |
|
38 facility = auth* |
|
39 |
|
40 # TODO: pubkey, failures? |
|
41 [[ssh]] |
|
42 program = sshd |
|
43 pattern = Accepted (?P<auth>.+?) for (?P<user>\S+) from (?P<ip>\S+) port (?P<port>\S+) (?P<proto>\S+) |
|
44 format = SSH {auth} login for {user}@{host} from {ip} |
|
45 |
|
46 [[cron]] |
|
47 program = cron |
|
48 format = # ignore |
|
49 |
|
50 [[su_nobody]] |
|
51 program = su |
|
52 pattern = Successful su for nobody by root|\+ \?\?\? root:nobody |
|
53 format = # ignore |
|
54 |
|
55 [[all]] |
|
56 format = {host} {msg} |
|
57 |
|
58 # user |
|
59 [user] |
|
60 facility = user |
|
61 |
|
62 [[puppet]] |
|
63 program = puppet |
|
64 format = {host} {msg} |
|
65 |