path: root/main/swatch/swatchrc
diff options
Diffstat (limited to 'main/swatch/swatchrc')
1 files changed, 103 insertions, 0 deletions
diff --git a/main/swatch/swatchrc b/main/swatch/swatchrc
new file mode 100644
index 000000000..3ea2615a9
--- /dev/null
+++ b/main/swatch/swatchrc
@@ -0,0 +1,103 @@
+### Swatch example config
+# The configuration file is used by the swatch(8) program to determine what
+# types of expression patterns to look for and what type of action(s) should be
+# taken when a pattern is matched.
+# Each line should contain a keyword and a, sometimes optional, value for that
+# keyword. The keyword and value are separated by a space or an equal (=) sign.
+# watchfor regex
+# ignore regex
+# echo [modes]
+# Echo the matched line. The text mode may be normal, bold, underscore,
+# blink, inverse, black, red, green, yellow, blue, magenta, cyan, white,
+# black_h, red_h, green_h, yellow_h, blue_h, magenta_h, cyan_h,
+# and/or white_h. The _h colors specify a highlighting color. The other
+# colors are assigned to the letters. Some modes may not work on some
+# terminals. Normal is the default.
+# bell [N]
+# Echo the matched line, and send a bell N times (default = 1).
+# exec command
+# Execute command. The command may contain variables which are substituted
+# with fields from the matched line. A $N will be replaced by the Nth field
+# in the line. A $0 or $* will be replaced by the entire line.
+# mail [addresses=address:address:...][,subject=your_text_here]
+# Send mail to address(es) containing the matched lines as they appear
+# (default address is the user who is running the program).
+# pipe command[,keep_open]
+# Pipe matched lines into command. Use the keep_open option to force the
+# pipe to stay open until a different pipe action is run or until swatch
+# exits.
+# write [user:user:...]
+# Use write(1) to send matched lines to user(s).
+# threshold track_by=key, type=<limit|threshold|both, count=number, seconds=number>
+# Thresholding can be done for the complete watchfor block and/or for
+# individual actions. Add ``threshold=on'' as an option along with the other
+# threshold options when thresholding an individual action.
+# track_by
+# The value of this should be something that is unique to the
+# watchfor regular expression. Tip: enclose unique parts of the
+# regular expression in parentheses, then use the sub matches as
+# part of the value (e.g. track_by=``$2:$4'').
+# type
+# There are three types of thresholding. They are as follows:
+# limit
+# Perform action(s) for the first "count`` matches during
+# the time interval specified by ''seconds", then ignore
+# events for the rest of the time interval (kind of like
+# throttle)
+# threshold
+# Perform action(s) on each match for up to count matches
+# during the time interval specified by seconds
+# both
+# Perform actions(s) once per time interval after "count``
+# matches occur, then ignore additional matches during the
+# time interval specified by ''seconds"
+# continue
+# Use this action to cause swatch to continue to try to match other
+# pattern/action groups after it is done with the current pattern/action
+# block.
+# quit
+# Use this action to cause swatch to clean up and quit immediately.
+## Successful SSH Login Attempts
+watchfor /sshd.*(: [aA]ccepted)(.*)( from )(.*)( port .*)$/
+ threshold track_by=$4,type=limit,count=1,seconds=60
+ echo bold green
+ #mail='',SUBJECT=sshd: Accepted connection,MAILER=sendmail -t -S -f sender\
+## Invalid SSH Login Attempts
+watchfor /sshd.*(: [iI]nvalid [uU]ser )(.*)( from )(.*)$/
+ threshold track_by=$4,type=both,count=3,seconds=60
+ echo bold red
+## Failed SSH Login Attempts
+watchfor /sshd.*(: [fF]ailed password for )(.*)( from )(.*)( port )(.*)$/
+ threshold track_by=$4,type=both,count=3,seconds=60
+ echo bold red
+## Failed SSH Login Attempts
+watchfor /([aA]uthentication [fF]ailure for [iI]llegal [uU]ser )(.*)( from )(.*)$/
+ threshold track_by=$4,type=both,count)3,seconds=60
+ echo bold red
+## Invalid sudo commands
+watchfor /sudo:.*[Cc]ommand not allowed/
+ echo bold red
+## File system full
+watchfor /file system full/
+ echo bold blue
+## System crashes and halts
+watchfor /(panic|halt)/
+ echo bold red
+## File system errors
+watchfor /[Mm]edia [Ee]rror/
+ echo bold yellow