logsentry: update config files, add "[logsentry]" in subject, and simplify task
This commit is contained in:
parent
73563d6838
commit
4ace413343
|
@ -52,6 +52,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||||
* base: we can chose to deploy or not utils files
|
* base: we can chose to deploy or not utils files
|
||||||
* base: reordering default variable file and deleting unused one
|
* base: reordering default variable file and deleting unused one
|
||||||
* base: use a template for ntp configuration to ease the management of the different cases
|
* base: use a template for ntp configuration to ease the management of the different cases
|
||||||
|
* logsentry: update config files, add "[logsentry]" in subject, and simplify task
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
|
|
|
@ -49,38 +49,44 @@ x-gw.*: exit host
|
||||||
x-gw.*: permit host
|
x-gw.*: permit host
|
||||||
xntpd.*Previous time adjustment didn't complete
|
xntpd.*Previous time adjustment didn't complete
|
||||||
xntpd.*time reset
|
xntpd.*time reset
|
||||||
ansible-command: Invoked
|
ansible-.*: Invoked with
|
||||||
ansible-copy: Invoked
|
|
||||||
ansible-cron: Invoked
|
|
||||||
ansible-file: Invoked
|
|
||||||
ansible-openbsd_pkg: Invoked
|
|
||||||
ansible-setup: Invoked
|
|
||||||
ansible-slurp: Invoked
|
|
||||||
ansible-stat: Invoked
|
|
||||||
ansible-synchronize: Invoked
|
|
||||||
bgpd.*: neighbor .*: sending IPv4 unicast EOR marker
|
bgpd.*: neighbor .*: sending IPv4 unicast EOR marker
|
||||||
bgpd.*: neighbor .*: sending IPv6 unicast EOR marker
|
bgpd.*: neighbor .*: sending IPv6 unicast EOR marker
|
||||||
|
bgpd.*: neighbor .*: received IPv4 unicast EOR marker
|
||||||
|
bgpd.*: neighbor .*: received IPv6 unicast EOR marker
|
||||||
bgpd.*: RDE reconfigured
|
bgpd.*: RDE reconfigured
|
||||||
bgpd.*: RDE soft reconfiguration done
|
bgpd.*: RDE soft reconfiguration done
|
||||||
bgpd.*: rereading config
|
bgpd.*: rereading config
|
||||||
bgpd.*: running softreconfig in
|
bgpd.*: running softreconfig in
|
||||||
bgpd.*: SE reconfigured
|
bgpd.*: SE reconfigured
|
||||||
bgpd.*: softreconfig in done
|
bgpd.*: softreconfig in done
|
||||||
|
collectd.*: parse_value: Failed to parse string as gauge: "Active".
|
||||||
|
collectd.*: parse_value: Failed to parse string as gauge: "Connect".
|
||||||
|
collectd.*: parse_value: Failed to parse string as gauge: "Idle".
|
||||||
doas: _collectd ran command /bin/cat /var/log/daemon as root from /var/collectd
|
doas: _collectd ran command /bin/cat /var/log/daemon as root from /var/collectd
|
||||||
doas: _collectd ran command /usr/sbin/bgpctl sh as root from /var/collectd
|
doas: _collectd ran command /usr/sbin/bgpctl sh as root from /var/collectd
|
||||||
doas: _collectd ran command /usr/sbin/bgpctl show neighbor as root from /var/collectd
|
doas: _collectd ran command /usr/sbin/bgpctl show neighbor as root from /var/collectd
|
||||||
doas: _nrpe ran command /sbin/bioctl sd2 as root from /
|
doas: _nrpe ran command /sbin/bioctl sd2 as root from /
|
||||||
doas: _nrpe ran command /usr/local/libexec/nagios
|
doas: _nrpe ran command /usr/local/libexec/nagios
|
||||||
|
doas: .* ran command su - as root from
|
||||||
doas:.*ran command /usr/share/scripts/evomaintenance.sh as root from
|
doas:.*ran command /usr/share/scripts/evomaintenance.sh as root from
|
||||||
last message repeated .* times
|
last message repeated .* times
|
||||||
mownitoring.py: Alert sent through email
|
mownitoring.py: Alert sent through email
|
||||||
mownitoring.py: Already known state but still a problem for
|
mownitoring.py: Already known state but still a problem for
|
||||||
|
mta server-cert-check result="failure"
|
||||||
newsyslog.*logfile turned over
|
newsyslog.*logfile turned over
|
||||||
nrpe.*: Could not read request from client, bailing out...
|
nrpe.*: Could not read request from client, bailing out...
|
||||||
nrpe.*: Error: Could not complete SSL handshake.
|
nrpe.*: Error: Could not complete SSL handshake.
|
||||||
nrpe.*: INFO: SSL Socket Shutdown.
|
nrpe.*: INFO: SSL Socket Shutdown.
|
||||||
|
nrpe.*: Client request was invalid, bailing out...
|
||||||
|
nrpe.*: Error: Request packet type/version was invalid!
|
||||||
ntpd.*: adjusting clock frequency by
|
ntpd.*: adjusting clock frequency by
|
||||||
|
ntpd.*: peer 31.170.8.123 now invalid
|
||||||
|
ntpd.*: peer 31.170.8.123 now valid
|
||||||
|
ospfd.*recv_packet: authentication error, interface
|
||||||
pkg_add: Added
|
pkg_add: Added
|
||||||
|
pmap_unwire: wiring for pmap .* va .* didn't change!
|
||||||
|
smtpd.*delivery evpid=.* from=<root@.*.evolix.net> to=
|
||||||
smtpd.*mta connected
|
smtpd.*mta connected
|
||||||
smtpd.*mta connecting address=smtp://
|
smtpd.*mta connecting address=smtp://
|
||||||
smtpd.*mta delivery evpid=
|
smtpd.*mta delivery evpid=
|
||||||
|
@ -92,8 +98,16 @@ smtpd.*smtp connected address=local
|
||||||
smtpd.*smtp disconnected reason=quit
|
smtpd.*smtp disconnected reason=quit
|
||||||
smtpd.*smtp envelope evpid=
|
smtpd.*smtp envelope evpid=
|
||||||
smtpd.*smtp message msgid=
|
smtpd.*smtp message msgid=
|
||||||
|
sshd.*Accepted publickey for.*from 31.170.* port
|
||||||
|
sshd.*Accepted publickey for.*from 82.65.34.85 port
|
||||||
sshd.*Connection closed by 127.0.0.1 port
|
sshd.*Connection closed by 127.0.0.1 port
|
||||||
|
sshd.*: Connection closed by authenticating user .* 31.170.* port
|
||||||
|
sshd.*: Connection closed by authenticating user .* 82.65.34.85 port
|
||||||
sshd.*Connection reset by 127.0.0.1 port
|
sshd.*Connection reset by 127.0.0.1 port
|
||||||
|
sshd.*Disconnected from user.*31.170.* port
|
||||||
|
sshd.*Disconnected from user.*82.65.34.85 port
|
||||||
|
sshd.*Received disconnect from 31.170.* port
|
||||||
|
sshd.*Received disconnect from 82.65.34.85 port
|
||||||
sudo:.*: a password is required ; TTY=.* ; PWD=/home/.* ; USER=root ; COMMAND=
|
sudo:.*: a password is required ; TTY=.* ; PWD=/home/.* ; USER=root ; COMMAND=
|
||||||
sudo:.*: TTY=.* ; PWD=/home/.* ; USER=root ; COMMAND=
|
sudo:.*: TTY=.* ; PWD=/home/.* ; USER=root ; COMMAND=
|
||||||
syslogd.*restart
|
syslogd.*restart
|
||||||
|
|
|
@ -149,7 +149,7 @@ rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
|
||||||
if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
|
if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
|
||||||
echo "Log files exist in $TMPDIR directory that cannot be removed. This
|
echo "Log files exist in $TMPDIR directory that cannot be removed. This
|
||||||
may be an attempt to spoof the log checker." \
|
may be an attempt to spoof the log checker." \
|
||||||
| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
|
| $MAIL -s "[logsentry] $HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -272,9 +272,9 @@ fi
|
||||||
# If there are results, mail them to sysadmin
|
# If there are results, mail them to sysadmin
|
||||||
|
|
||||||
if [ "$ATTACK" -eq 1 ]; then
|
if [ "$ATTACK" -eq 1 ]; then
|
||||||
cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
|
cat $TMPDIR/checkreport.$$ | $MAIL -s "[logsentry] $HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
|
||||||
elif [ "$FOUND" -eq 1 ]; then
|
elif [ "$FOUND" -eq 1 ]; then
|
||||||
cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE system check" $SYSADMIN
|
cat $TMPDIR/checkreport.$$ | $MAIL -s "[logsentry] $HOSTNAME $DATE system check" $SYSADMIN
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Clean Up
|
# Clean Up
|
||||||
|
|
|
@ -5,5 +5,15 @@ smtpd.*smtp connected address=local
|
||||||
smtpd.*smtp disconnected reason=quit
|
smtpd.*smtp disconnected reason=quit
|
||||||
smtpd.*smtp envelope evpid=
|
smtpd.*smtp envelope evpid=
|
||||||
smtpd.*smtp message msgid=
|
smtpd.*smtp message msgid=
|
||||||
|
smtpd.*mta connecting address=smtp://.* host=
|
||||||
|
smtpd.*mta connected
|
||||||
|
smtpd.*mta tls ciphers=
|
||||||
|
smtpd.*mta server-cert-check result="success"
|
||||||
|
smtpd.*mta delivery evpid=
|
||||||
|
smtpd.*mta disconnected reason=quit messages=
|
||||||
nrpe.*: INFO: SSL Socket Shutdown.
|
nrpe.*: INFO: SSL Socket Shutdown.
|
||||||
collectd.*: exec plugin: Failed to execute
|
collectd.*: exec plugin: Failed to execute
|
||||||
|
collectd.*: parse_value: Failed to parse string as gauge: "Active".
|
||||||
|
collectd.*: parse_value: Failed to parse string as gauge: "Connect".
|
||||||
|
collectd.*: parse_value: Failed to parse string as gauge: "Idle".
|
||||||
|
mta server-cert-check result="failure"
|
||||||
|
|
|
@ -17,23 +17,15 @@
|
||||||
tags:
|
tags:
|
||||||
- logsentry
|
- logsentry
|
||||||
|
|
||||||
- name: "Copy logsentry.ignore configuration"
|
- name: "Copy custom logsentry configuration files"
|
||||||
copy:
|
copy:
|
||||||
src: "{{ item }}"
|
src: "{{ item }}"
|
||||||
dest: /etc/logsentry/logsentry.ignore
|
dest: /etc/logsentry/"{{ item}}"
|
||||||
with_first_found:
|
owner: root
|
||||||
- "files/logsentry/logsentry.ignore"
|
group: wheel
|
||||||
|
mode: "0600"
|
||||||
|
with_items:
|
||||||
- "logsentry.ignore"
|
- "logsentry.ignore"
|
||||||
tags:
|
|
||||||
- logsentry
|
|
||||||
- logsentry-config
|
|
||||||
|
|
||||||
- name: "Copy logsentry.violations.ignore configuration"
|
|
||||||
copy:
|
|
||||||
src: "{{ item }}"
|
|
||||||
dest: /etc/logsentry/logsentry.violations.ignore
|
|
||||||
with_first_found:
|
|
||||||
- "files/logsentry/logsentry.violations.ignore"
|
|
||||||
- "logsentry.violations.ignore"
|
- "logsentry.violations.ignore"
|
||||||
tags:
|
tags:
|
||||||
- logsentry
|
- logsentry
|
||||||
|
|
Loading…
Reference in a new issue