| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
|
| |
By setting the ipset-save Reporter option to point at a file name,
the state will be automatically loaded upon start and saved before
LogActio stops running.
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
| |
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
| |
This is needed to avoid LogActio believing an IP address has been registered
but have been removed from ipset - either manually or by a timeout.
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
| |
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
| |
Without this patch the "count" variable would be off by one when
passing it to the reporter modules.
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
| |
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This requires currently logactio to run as root. On matches, instead
of reporting the match it will use the IP address extrated via the regex
and add it to an ipset(8) set (hash:ip). This set can then be used
in other iptables rules to f.ex block failing attempts.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This can be set to either 'rule' or 'exact'. If not defined,
it defaults to 'rule' which is exactly the same as before.
In 'rule' mode, the threshould counter is increased each time
the regular expression triggers a match.
By switching to 'exact', it will be defined a threshold counter
based on the conntents of the regex groups when a match is found.
This gives a more fine grained threshold counter, which can be
used for example for blocking specific IP addresses after a
certain number of failed attempts is caught.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
|
|
|
|
| |
If logrotate has been run inbetween since last time the log file
was checked, the opened fd will not point at the new file. In this
case reopen the log file and process all new events in this new file.
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This variable takes a comma separated list of rule names, for the
same log file, which will reset the any active processing
limitations. This can make one rule enforce another rule to
become active again if 'rate-limit' or 'time-frame' limitations
for that rule is stopping it from reacting.
A useful scenario for this feature is if there is a rule which only
reports about connection issues f.ex. only once an hour. If the
connection comes back again another rule can report about this
instantly. Without this feature enabled, it can take up to one
hour before the report about the newly broken connection is sent.
By enabling this feature, the "connection OK" rule can reset the
rate-limit and/or time-frame restrictions on the "broken connection"
rule and thus force a report instantly if the connection breaks
again - regardless of the rate-limit/time-frame limitation.
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will avoid sending more reports if it happens within the
given amount of seconds since the last report for this rule.
So if you have this set to 10 seconds and this rule matches
a log line every second, the time between each report will be
10 seconds. The rate-limit is kind of defining 1 report per
X seconds.
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This optional variable extends the threshold trigger to require
the matching rule to have a hit within the given time-frame.
If threshold is set to 3 and time-frame to 10, it must be
3 events within 10 seconds for this rule to cause an action.
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
| |
This allows alerts to be sent to a Qpid based AMQP broker. A
simple alert consumer has been added as well.
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
| |
This allows multiple reporters to act when it is triggered
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
| |
Adding a 'reporters' variable in a [Rule:*] section will
override the default reporter defined in [Logfile:*]
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
| |
This reporter module will send e-mails with the gathered information
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
| |
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
| |
This will send alerts to a web server via HTTP GET/POST requests
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
| |
The [Reporter:*] definitions can now take the 'module' variable,
which is the name of the reporter module, located in LogActio/Reporters/
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
This is the first step of the logactio framework
Signed-off-by: David Sommerseth <davids@redhat.com>
|