RubyGems - rec - Versions diffs - 1.0.4 → 1.0.6 - Mend

rec 1.0.4 → 1.0.6

Files changed (6) hide show

data/rulesets/postfix-rules.rb ADDED Viewed

@@ -0,0 +1,41 @@
+# collection rules - pull details out of events sharing an ID
+Rule.new(10040, {
+	:pattern => /\s\w+\spostfix\/pickup\[\d+\]\: (\w+)\: uid=(\d+) from\=\<(\w+)\>/,
+	:details => ["mailid","uid","from"],
+	:message => "Active mail mailid=%mailid$s",
+	:lifespan => 300
+})
+Rule.new(10041, {
+	:pattern => / \w+ postfix\/qmgr\[\d+\]\: (\w+)\: from\=\<(.+?\@.+?)?\>/,
+	:details => ["mailid", "from"],
+	:message => "Active mail mailid=%mailid$s"
+})
+Rule.new(10042, {
+	:pattern => / \w+ postfix\/smtp\[\d+\]\: (\w+)\: to\=\<(.+?\@.+?)\>.+status\=(\w+)/,
+	:details => ["mailid", "to", "status"],
+	:message => "Active mail mailid=%mailid$s",
+	:alert => "Mail from=%from$s to=%to$s status=%status$s mailid=%mailid$s"
+}) { |state|
+	state.generate(:alert)
+	state.release()
+}
+Rule.new(10043, {
+	:pattern => / \w+ postfix\/local\[\d+\]\: (\w+)\: to\=\<(.+?\@.+?)\>.+status\=(\w+)/,
+	:details => ["mailid", "to", "status"],
+	:message => "Active mail mailid=%mailid$s",
+	:alert => "Mail from=local to=%to$s status=%status$s mailid=%mailid$s"
+}) { |state|
+	state.generate(:alert)
+	state.release()
+}
+# ignore other postfix messages
+Rule.new(10044, {
+	:pattern => / \w+ postfix\/master|cleanup|bounce/
+})
+Rule.new(10045, {
+	:pattern => / \w+ postfix\/qmgr\[\d+\]\: (\w+)\: removed/
+})
+Rule.new(10050, {
+	:pattern => /never match anything/
+})

data/rulesets/rules.rb ADDED Viewed

@@ -0,0 +1,22 @@
+#!/usr/bin/ruby -Ilib
+# run with command like:
+#    rulesets/rules.rb < /var/log/mail.log 3>missed.log 2>control.log > newevents.log
+# takes input from a log file and emits new events to newevents.log
+# while missed events go to the missed.log and control messages to control.log
+require 'rubygems'
+require 'rec'
+include REC
+# For better security, move the next few lines into a file readable only by the user
+# running this script eg. /home/rec/alert.conf and then require that file
+Notify.smtp_credentials("rec@gmail.com", "recret", "myfirm.com")
+Notify.emailTo = "me@myfirm.com"
+Notify.jabber_credentials("rec@gmail.com", "recret")
+Notify.jabberTo = "me@myfirm.com"
+# load rulesets
+require 'rulesets/postfix-rules'
+require 'rulesets/sample-rules'
+Correlator::start()

data/rulesets/sample-rules.rb ADDED Viewed

@@ -0,0 +1,62 @@
+# single threshold rule
+Rule.new(10034, {
+	:pattern => /^\s+\w+\s+sudo\[\d+\]\:\s+(\w+) \:/,
+	:details => ["userid"],
+	:message => "sudo activity for user %userid$s",
+	:lifespan => 60,
+	:alert => "'Too much sudo activity' userid=%userid$s attempts=%count$d dur=%dur$0.3fs ",
+	:expiry => "'Gave sudo a rest' userid=%userid$s attempts=%count$d dur=%dur$0.3fs ",
+	:threshold => 3,
+	:capture => true,
+	:action => Proc.new { |state|
+		if state.count == state.threshold
+			Notify.urgent(state.generate(:alert))
+			state.release()
+		end
+	},
+	:final => Proc.new { |state|
+		Notify.urgent(state.generate(:expiry))
+	}
+})
+# suppression rule
+Rule.new(10035, {
+	:pattern => /^\s\w+\sFirewall\[\d+\]\:\sSkype is listening from 0.0.0.0:(\d+)/,
+	:details => ["port"],
+	:message => "Skype conversation started on port %port$d",
+	:alert => "Skype running on port %port$d",
+	:lifespan => 479,
+	:action => State::Generate_first_only
+})
+# pair rule
+Rule.new(10036, {
+	:pattern => /^\s\w+\s\w+\: nfs\: server (\w+) not responding/,
+	:details => ["host"],
+	:message => "Server %host$s is down",
+	:lifespan => 300,
+	:action => State::Generate_first_only
+})
+Rule.new(10037, {
+	:pattern => /^\s\w+\s\w+\: nfs\: server (\w+) OK/,
+	:details => ["host"],
+	:message => "Server %host$s is up again",
+	:allstates => ["Server %host$s is down"]
+}) {|state|
+	# store the duration of the outage and log the message
+	duration = State.find("Server %host$s is down", state).age
+	state.params[:outage] = (duration/60).to_i()
+	state.generate()
+	state.release("Server %host$s is down")
+	state.release()
+}
+# single rule
+Rule.new(10040, {
+	:pattern => /Accepted password for (\w+) from (\d+\.\d+\.\d+\.\d+)/,
+	:details => ["user", "ip"],
+	:message => "User %user$s signed in via SSH from %ip$s",
+	:action => State::Generate_and_release
+})
+# single with suppress

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rec
 version: !ruby/object:Gem::Version
-  hash: 31
+  hash: 27
   prerelease:
   segments:
   - 1
   - 0
-  - 4
-  version: 1.0.4
+  - 6
+  version: 1.0.6
 platform: ruby
 authors:
 - Richard Kernahan
@@ -31,8 +31,8 @@ executables: []
 extensions: []
 extra_rdoc_files:
-- lib/README
-- lib/EXAMPLES
+- README
+- EXAMPLES
 files:
 - lib/rec.rb
 - lib/rec/rule.rb
@@ -41,8 +41,11 @@ files:
 - lib/rec/notify.rb
 - lib/rec/mock-notify.rb
 - lib/string.rb
-- lib/README
-- lib/EXAMPLES
+- rulesets/rules.rb
+- rulesets/sample-rules.rb
+- rulesets/postfix-rules.rb
+- README
+- EXAMPLES
 homepage: http://rubygems.org/gems/rec
 licenses: []
@@ -50,7 +53,7 @@ post_install_message:
 rdoc_options:
 - --show-hash
 - --main
-- lib/README
+- README
 - --title
 - REC -- Ruby Event Correlation
 require_paths:

/data/{lib/EXAMPLES → EXAMPLES} RENAMED Viewed

File without changes

/data/{lib/README → README} RENAMED Viewed

File without changes