terom@103: #irk     = irc://syslog@irc-test/test
terom@48: 
terom@76: # TODO: implements meta-attrs across rule tree to classify hosts?
terom@76: #[tag]
terom@76: #    [[puppetmaster]]
terom@76: #        host    = guru
terom@76: #
terom@76: #    [[auth-high]]
terom@76: #        host    = guru
terom@48: 
terom@76: # auth on normal hosts
terom@76: [auth]
terom@91:     facility    = auth*
terom@48: 
terom@103:     [[pam]]
terom@103:     pattern     = (?P<pam>pam_\w+)\((?P<pam_service>.+?):(?P<pam_type>.+?)\): (?P<msg>.+)
terom@103:     
terom@103:     # at least debian wheezy's pam_unix syslogs session open/close at LOG_INFO
terom@103:     [[[pam-sudo]]]
terom@103:     pam_service = sudo
terom@103:     severity    = info
terom@103:     format      = # ignore
terom@103: 
terom@76:     [[sudo]]
terom@76:     program     = sudo
terom@76:     pattern     = (?P<login>\S+) : TTY=(?P<tty>\S+) ; PWD=(?P<pwd>.+?) ; USER=(?P<user>\S+) ; (?:ENV=(?P<env>.+?) ; )?COMMAND=(?P<command>.*)
terom@76:     format      = {login}:{tty} - {user}@{host}:{pwd} - {command!r}
terom@76:     
terom@76:     # ignore puppet readshadow on puppetmasters
terom@76:     [[[puppet_readshadow]]]
terom@76:     login       = puppet
terom@76:     user        = root
terom@76:     command     = /usr/bin/getent shadow \w+
terom@76:     format      = # ignore
terom@66: 
terom@76:     [[[env]]]
terom@76:     env         = .+
terom@76:     format      = {login}:{tty} - {user}@{host}:{pwd} - {env}{command!r}
terom@66: 
terom@76:     [[sudo-unknown]]
terom@76:     program     = sudo
terom@76:     format      = {host} {msg}
terom@76:     
terom@76: # auth on high-sec hosts
terom@78: [auth-high]
terom@78:     host        = .+
terom@91:     facility    = auth*
terom@76:     
terom@76:     # TODO: pubkey, failures?
terom@76:     [[ssh]]
terom@76:     program     = sshd
terom@85:     pattern     = Accepted (?P<auth>.+?) for (?P<user>\S+) from (?P<ip>\S+) port (?P<port>\S+) (?P<proto>\S+)
terom@85:     format      = SSH {auth} login for {user}@{host} from {ip}
terom@76: 
terom@76:     [[cron]]
terom@76:     program     = cron
terom@76:     format      = # ignore
terom@76: 
terom@76:     [[su_nobody]]
terom@76:     program     = su
terom@76:     pattern     = Successful su for nobody by root|\+ \?\?\? root:nobody
terom@76:     format      = # ignore
terom@76: 
terom@76:     [[all]]
terom@76:     format      = {host} {msg}
terom@76: 
terom@76: # user
terom@76: [user]
terom@76:     facility    = user
terom@76: 
terom@76:     [[puppet]]
terom@76:     program     = puppet
terom@76:     format      = {host} {msg}
terom@76: