aboutsummaryrefslogtreecommitdiffstats
path: root/main/swatch/swatchrc
blob: 3ea2615a945436aaf02ed070441f2f6bcd06d6ae (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
###############################################################################
### Swatch example config
#
# The configuration file is used by the swatch(8) program to determine what
# types of expression patterns to look for and what type of action(s) should be
# taken when a pattern is matched.
# Each line should contain a keyword and a, sometimes optional, value for that
# keyword. The keyword and value are separated by a space or an equal (=) sign.
#
# watchfor regex
# ignore regex
#
# echo [modes]
#    Echo the matched line. The text mode may be normal, bold, underscore,
#    blink, inverse, black, red, green, yellow, blue, magenta, cyan, white,
#    black_h, red_h, green_h, yellow_h, blue_h, magenta_h, cyan_h,
#    and/or white_h. The _h colors specify a highlighting color. The other
#    colors are assigned to the letters. Some modes may not work on some
#    terminals. Normal is the default.
# bell [N]
#    Echo the matched line, and send a bell N times (default = 1).
# exec command
#    Execute command. The command may contain variables which are substituted
#    with fields from the matched line. A $N will be replaced by the Nth field
#    in the line. A $0 or $* will be replaced by the entire line.
# mail [addresses=address:address:...][,subject=your_text_here]
#    Send mail to address(es) containing the matched lines as they appear
#    (default address is the user who is running the program).
# pipe command[,keep_open]
#    Pipe matched lines into command. Use the keep_open option to force the
#    pipe to stay open until a different pipe action is run or until swatch
#    exits.
# write [user:user:...]
#    Use write(1) to send matched lines to user(s).
# threshold track_by=key, type=<limit|threshold|both, count=number, seconds=number>
#    Thresholding can be done for the complete watchfor block and/or for
#    individual actions. Add ``threshold=on'' as an option along with the other
#    threshold options when thresholding an individual action.
#        track_by
#            The value of this should be something that is unique to the
#            watchfor regular expression. Tip: enclose unique parts of the
#            regular expression in parentheses, then use the sub matches as
#            part of the value (e.g. track_by=``$2:$4'').
#        type
#            There are three types of thresholding. They are as follows:
#                limit
#                    Perform action(s) for the first "count`` matches during
#                    the time interval specified by ''seconds", then ignore
#                    events for the rest of the time interval (kind of like
#                    throttle)
#                threshold
#                    Perform action(s) on each match for up to count matches 
#                    during the time interval specified by seconds
#                both
#                    Perform actions(s) once per time interval after "count``
#                    matches occur, then ignore additional matches during the
#                    time interval specified by ''seconds"
# continue
#    Use this action to cause swatch to continue to try to match other
#    pattern/action groups after it is done with the current pattern/action
#    block.
# quit
#    Use this action to cause swatch to clean up and quit immediately. 
###############################################################################

## Successful SSH Login Attempts
watchfor        /sshd.*(: [aA]ccepted)(.*)( from )(.*)( port .*)$/
		threshold track_by=$4,type=limit,count=1,seconds=60
		echo bold green
		#mail='receiver@foo.bar',SUBJECT=sshd: Accepted connection,MAILER=sendmail -t -S smtp.foo.bar -f sender\@foo.bar

## Invalid SSH Login Attempts
watchfor	/sshd.*(: [iI]nvalid [uU]ser )(.*)( from )(.*)$/
		threshold track_by=$4,type=both,count=3,seconds=60
		echo bold red

## Failed SSH Login Attempts
watchfor	/sshd.*(: [fF]ailed password for )(.*)( from )(.*)( port )(.*)$/
		threshold track_by=$4,type=both,count=3,seconds=60
		echo bold red

## Failed SSH Login Attempts
watchfor	/([aA]uthentication [fF]ailure for [iI]llegal [uU]ser )(.*)( from )(.*)$/
        	threshold track_by=$4,type=both,count)3,seconds=60
		echo bold red


## Invalid sudo commands 
watchfor        /sudo:.*[Cc]ommand not allowed/
                echo bold red

## File system full
watchfor	/file system full/
		echo bold blue

## System crashes and halts
watchfor	/(panic|halt)/
		echo bold red

## File system errors
watchfor	/[Mm]edia [Ee]rror/
		echo bold yellow