mirrors/aports
1
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2026-01-06 01:02:26 +01:00
Code Issues Packages Projects Releases Wiki Activity
aports/main/swatch/swatchrc
Mika Havela 4a5c67baf5 testing/swatch: Moved to main 
Confirmed that it works.
2010-11-26 11:59:54 +01:00

104 lines
4.4 KiB
Plaintext
Raw Blame History

###############################################################################
### Swatch example config
#
# The configuration file is used by the swatch(8) program to determine what
# types of expression patterns to look for and what type of action(s) should be
# taken when a pattern is matched.
# Each line should contain a keyword and a, sometimes optional, value for that
# keyword. The keyword and value are separated by a space or an equal (=) sign.
#
# watchfor regex
# ignore regex
#
# echo [modes]
# Echo the matched line. The text mode may be normal, bold, underscore,
# blink, inverse, black, red, green, yellow, blue, magenta, cyan, white,
# black_h, red_h, green_h, yellow_h, blue_h, magenta_h, cyan_h,
# and/or white_h. The _h colors specify a highlighting color. The other
# colors are assigned to the letters. Some modes may not work on some
# terminals. Normal is the default.
# bell [N]
# Echo the matched line, and send a bell N times (default = 1).
# exec command
# Execute command. The command may contain variables which are substituted
# with fields from the matched line. A $N will be replaced by the Nth field
# in the line. A $0 or $* will be replaced by the entire line.
# mail [addresses=address:address:...][,subject=your_text_here]
# Send mail to address(es) containing the matched lines as they appear
# (default address is the user who is running the program).
# pipe command[,keep_open]
# Pipe matched lines into command. Use the keep_open option to force the
# pipe to stay open until a different pipe action is run or until swatch
# exits.
# write [user:user:...]
# Use write(1) to send matched lines to user(s).
# threshold track_by=key, type=<limit|threshold|both, count=number, seconds=number>
# Thresholding can be done for the complete watchfor block and/or for
# individual actions. Add ``threshold=on'' as an option along with the other
# threshold options when thresholding an individual action.
# track_by
# The value of this should be something that is unique to the
# watchfor regular expression. Tip: enclose unique parts of the
# regular expression in parentheses, then use the sub matches as
# part of the value (e.g. track_by=``$2:$4'').
# type
# There are three types of thresholding. They are as follows:
# limit
# Perform action(s) for the first "count`` matches during
# the time interval specified by ''seconds", then ignore
# events for the rest of the time interval (kind of like
# throttle)
# threshold
# Perform action(s) on each match for up to count matches
# during the time interval specified by seconds
# both
# Perform actions(s) once per time interval after "count``
# matches occur, then ignore additional matches during the
# time interval specified by ''seconds"
# continue
# Use this action to cause swatch to continue to try to match other
# pattern/action groups after it is done with the current pattern/action
# block.
# quit
# Use this action to cause swatch to clean up and quit immediately.
###############################################################################
## Successful SSH Login Attempts
watchfor /sshd.*(: [aA]ccepted)(.*)( from )(.*)( port .*)$/
threshold track_by=$4,type=limit,count=1,seconds=60
echo bold green
#mail='receiver@foo.bar',SUBJECT=sshd: Accepted connection,MAILER=sendmail -t -S smtp.foo.bar -f sender\@foo.bar
## Invalid SSH Login Attempts
watchfor /sshd.*(: [iI]nvalid [uU]ser )(.*)( from )(.*)$/
threshold track_by=$4,type=both,count=3,seconds=60
echo bold red
## Failed SSH Login Attempts
watchfor /sshd.*(: [fF]ailed password for )(.*)( from )(.*)( port )(.*)$/
threshold track_by=$4,type=both,count=3,seconds=60
echo bold red
## Failed SSH Login Attempts
watchfor /([aA]uthentication [fF]ailure for [iI]llegal [uU]ser )(.*)( from )(.*)$/
threshold track_by=$4,type=both,count)3,seconds=60
echo bold red
## Invalid sudo commands
watchfor /sudo:.*[Cc]ommand not allowed/
echo bold red
## File system full
watchfor /file system full/
echo bold blue
## System crashes and halts
watchfor /(panic|halt)/
echo bold red
## File system errors
watchfor /[Mm]edia [Ee]rror/
echo bold yellow
Reference in New Issue View Git Blame Copy Permalink