RubyGems - rec - Versions diffs - 1.0.4 → 1.0.6 - Mend

rec 1.0.4 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

data/rulesets/postfix-rules.rb ADDED Viewed

@@ -0,0 +1,41 @@
+# collection rules - pull details out of events sharing an ID
+Rule.new(10040, {
+	:pattern => /\s\w+\spostfix\/pickup\[\d+\]\: (\w+)\: uid=(\d+) from\=\<(\w+)\>/,
+	:details => ["mailid","uid","from"],
+	:message => "Active mail mailid=%mailid$s",
+	:lifespan => 300
+})
+Rule.new(10041, {
+	:pattern => / \w+ postfix\/qmgr\[\d+\]\: (\w+)\: from\=\<(.+?\@.+?)?\>/,
+	:details => ["mailid", "from"],
+	:message => "Active mail mailid=%mailid$s"
+})
+Rule.new(10042, {
+	:pattern => / \w+ postfix\/smtp\[\d+\]\: (\w+)\: to\=\<(.+?\@.+?)\>.+status\=(\w+)/,
+	:details => ["mailid", "to", "status"],
+	:message => "Active mail mailid=%mailid$s",
+	:alert => "Mail from=%from$s to=%to$s status=%status$s mailid=%mailid$s"
+}) { |state|
+	state.generate(:alert)
+	state.release()
+}
+Rule.new(10043, {
+	:pattern => / \w+ postfix\/local\[\d+\]\: (\w+)\: to\=\<(.+?\@.+?)\>.+status\=(\w+)/,
+	:details => ["mailid", "to", "status"],
+	:message => "Active mail mailid=%mailid$s",
+	:alert => "Mail from=local to=%to$s status=%status$s mailid=%mailid$s"
+}) { |state|
+	state.generate(:alert)
+	state.release()
+}
+# ignore other postfix messages
+Rule.new(10044, {
+	:pattern => / \w+ postfix\/master|cleanup|bounce/
+})
+Rule.new(10045, {
+	:pattern => / \w+ postfix\/qmgr\[\d+\]\: (\w+)\: removed/
+})
+Rule.new(10050, {
+	:pattern => /never match anything/
+})

data/rulesets/rules.rb ADDED Viewed

@@ -0,0 +1,22 @@
+#!/usr/bin/ruby -Ilib
+# run with command like:
+#    rulesets/rules.rb < /var/log/mail.log 3>missed.log 2>control.log > newevents.log
+# takes input from a log file and emits new events to newevents.log
+# while missed events go to the missed.log and control messages to control.log
+require 'rubygems'
+require 'rec'
+include REC
+# For better security, move the next few lines into a file readable only by the user
+# running this script eg. /home/rec/alert.conf and then require that file
+Notify.smtp_credentials("rec@gmail.com", "recret", "myfirm.com")
+Notify.emailTo = "me@myfirm.com"
+Notify.jabber_credentials("rec@gmail.com", "recret")
+Notify.jabberTo = "me@myfirm.com"
+# load rulesets
+require 'rulesets/postfix-rules'
+require 'rulesets/sample-rules'
+Correlator::start()

data/rulesets/sample-rules.rb ADDED Viewed

@@ -0,0 +1,62 @@
+# single threshold rule
+Rule.new(10034, {
+	:pattern => /^\s+\w+\s+sudo\[\d+\]\:\s+(\w+) \:/,
+	:details => ["userid"],
+	:message => "sudo activity for user %userid$s",
+	:lifespan => 60,
+	:alert => "'Too much sudo activity' userid=%userid$s attempts=%count$d dur=%dur$0.3fs ",
+	:expiry => "'Gave sudo a rest' userid=%userid$s attempts=%count$d dur=%dur$0.3fs ",
+	:threshold => 3,
+	:capture => true,
+	:action => Proc.new { |state|
+		if state.count == state.threshold
+			Notify.urgent(state.generate(:alert))
+			state.release()
+		end
+	},
+	:final => Proc.new { |state|
+		Notify.urgent(state.generate(:expiry))
+	}
+})
+# suppression rule
+Rule.new(10035, {
+	:pattern => /^\s\w+\sFirewall\[\d+\]\:\sSkype is listening from 0.0.0.0:(\d+)/,
+	:details => ["port"],
+	:message => "Skype conversation started on port %port$d",
+	:alert => "Skype running on port %port$d",
+	:lifespan => 479,
+	:action => State::Generate_first_only
+})
+# pair rule
+Rule.new(10036, {
+	:pattern => /^\s\w+\s\w+\: nfs\: server (\w+) not responding/,
+	:details => ["host"],
+	:message => "Server %host$s is down",
+	:lifespan => 300,
+	:action => State::Generate_first_only
+})
+Rule.new(10037, {
+	:pattern => /^\s\w+\s\w+\: nfs\: server (\w+) OK/,
+	:details => ["host"],
+	:message => "Server %host$s is up again",
+	:allstates => ["Server %host$s is down"]
+}) {|state|
+	# store the duration of the outage and log the message
+	duration = State.find("Server %host$s is down", state).age
+	state.params[:outage] = (duration/60).to_i()
+	state.generate()
+	state.release("Server %host$s is down")
+	state.release()
+}
+# single rule
+Rule.new(10040, {
+	:pattern => /Accepted password for (\w+) from (\d+\.\d+\.\d+\.\d+)/,
+	:details => ["user", "ip"],
+	:message => "User %user$s signed in via SSH from %ip$s",
+	:action => State::Generate_and_release
+})
+# single with suppress

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rec
 version: !ruby/object:Gem::Version
-  hash: 31
+  hash: 27
   prerelease:
   segments:
   - 1
   - 0
-  - 4
-  version: 1.0.4
+  - 6
+  version: 1.0.6
 platform: ruby
 authors:
 - Richard Kernahan
@@ -31,8 +31,8 @@ executables: []
 extensions: []
 extra_rdoc_files:
-- lib/README
-- lib/EXAMPLES
+- README
+- EXAMPLES
 files:
 - lib/rec.rb
 - lib/rec/rule.rb
@@ -41,8 +41,11 @@ files:
 - lib/rec/notify.rb
 - lib/rec/mock-notify.rb
 - lib/string.rb
-- lib/README
-- lib/EXAMPLES
+- rulesets/rules.rb
+- rulesets/sample-rules.rb
+- rulesets/postfix-rules.rb
+- README
+- EXAMPLES
 homepage: http://rubygems.org/gems/rec
 licenses: []
@@ -50,7 +53,7 @@ post_install_message:
 rdoc_options:
 - --show-hash
 - --main
-- lib/README
+- README
 - --title
 - REC -- Ruby Event Correlation
 require_paths:

/data/{lib/EXAMPLES → EXAMPLES} RENAMED Viewed

File without changes

/data/{lib/README → README} RENAMED Viewed

File without changes