rec 1.3.4 → 1.3.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/EXAMPLES +2 -2
- data/README +4 -4
- metadata +9 -5
data/EXAMPLES
CHANGED
|
@@ -24,7 +24,7 @@ If we see that happen 3 times (+threshold+) within a minute (+lifespan+), alert
|
|
|
24
24
|
}
|
|
25
25
|
|
|
26
26
|
When we see the first event, a state is created with title "Failed sudo password for user richard".
|
|
27
|
-
The second event has
|
|
27
|
+
The second event has no effect, beyond automatically incrementing the count.
|
|
28
28
|
When we see the third event, an output message is generated and logged, and then the generated
|
|
29
29
|
message is also sent via IM to the administrator. Alternatively:
|
|
30
30
|
|
|
@@ -59,7 +59,7 @@ for a fixed 5 minutes.
|
|
|
59
59
|
== Adding a final block
|
|
60
60
|
If we want to see one message when the user first has trouble, then another message
|
|
61
61
|
after he has decided to stop trying, the format is a little different. The block
|
|
62
|
-
given
|
|
62
|
+
given in previous examples is stored in the +params+ as +action+.
|
|
63
63
|
|
|
64
64
|
Instead, the +action+ block may be specified directly as a member of the params hash,
|
|
65
65
|
and the +final+ must be specified in this way if it is to be used.
|
data/README
CHANGED
|
@@ -55,7 +55,7 @@ There are several alternatives to REC which may suit your needs better:
|
|
|
55
55
|
* scalextreme.com[www.scalextreme.com]
|
|
56
56
|
|
|
57
57
|
While I like these options, I find they take a lot of configuring.
|
|
58
|
-
They also
|
|
58
|
+
They also have some dependencies that make them a bit heavier than you may want.
|
|
59
59
|
If you just want to keep track of a few kinds of events, want a lot of flexibility
|
|
60
60
|
and control without too much effort, then REC may be of some value.
|
|
61
61
|
|
|
@@ -85,7 +85,7 @@ We can also 'swallow' all of the rest of the "host terra is down" events because
|
|
|
85
85
|
This <em>event compression</em> means the administrator gets one important message, and not 27
|
|
86
86
|
distracting alerts.
|
|
87
87
|
|
|
88
|
-
A
|
|
88
|
+
A notification can be sent by email or instant message, depending on your preferences and working hours.
|
|
89
89
|
The destinations and credentials are supplied to your ruleset:
|
|
90
90
|
# For better security, move the next few lines into a file readable only by
|
|
91
91
|
# the user running this script eg. /home/rec/alert.conf
|
|
@@ -154,7 +154,7 @@ The sequence of captures is as specified for ruby Regexps.
|
|
|
154
154
|
:pattern => /\w+ sudo\: (\w+) \: (\d) incorrect password attempts/,
|
|
155
155
|
:details => ["userid", "failures"],
|
|
156
156
|
The names chosen for captured values are used as keys to store the values in the same
|
|
157
|
-
hash that stores the parameters, so do *not* choose
|
|
157
|
+
hash that stores the parameters, so do *not* choose the following keywords: +pattern+, +details+,
|
|
158
158
|
+message+, +threshold+, +lifespan+, +alert+, +capture+, +continue+, or +action+.
|
|
159
159
|
|
|
160
160
|
=== message
|
|
@@ -179,7 +179,7 @@ minutes longer at each request.
|
|
|
179
179
|
This is a string template used to generate an output log message (the timestamp will be
|
|
180
180
|
prefixed automatically to complete the log entry).
|
|
181
181
|
:alert => "'Too much sudo activity' userid=%userid$s attempts=%count$d dur=%dur$0.3fs ",
|
|
182
|
-
By convention, we make
|
|
182
|
+
By convention, we make our log messages very easy to parse by creating name=value pairs,
|
|
183
183
|
and single-quoting strings containing spaces, in case the output will be processed further.
|
|
184
184
|
|
|
185
185
|
If no +alert+ is provided, it will default to +message+.
|
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rec
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
hash:
|
|
4
|
+
hash: 17
|
|
5
5
|
prerelease:
|
|
6
6
|
segments:
|
|
7
7
|
- 1
|
|
8
8
|
- 3
|
|
9
|
-
-
|
|
10
|
-
version: 1.3.
|
|
9
|
+
- 5
|
|
10
|
+
version: 1.3.5
|
|
11
11
|
platform: ruby
|
|
12
12
|
authors:
|
|
13
13
|
- Richard Kernahan
|
|
@@ -15,7 +15,7 @@ autorequire:
|
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
17
|
|
|
18
|
-
date: 2013-
|
|
18
|
+
date: 2013-10-10 00:00:00 Z
|
|
19
19
|
dependencies:
|
|
20
20
|
- !ruby/object:Gem::Dependency
|
|
21
21
|
name: xmpp4r
|
|
@@ -32,7 +32,11 @@ dependencies:
|
|
|
32
32
|
version: "0.5"
|
|
33
33
|
type: :runtime
|
|
34
34
|
version_requirements: *id001
|
|
35
|
-
description: "\t\
|
|
35
|
+
description: "\t\tDeprecated. \n\
|
|
36
|
+
\t\tI'm planning to discontinue this gem. Although it has enormous flexibility and power, \n\
|
|
37
|
+
\t\tit is in my view too complex. 80% of requirements can be met through custom shell scripts\n\
|
|
38
|
+
\t\twhich are much simpler to write and maintain. \n\n\
|
|
39
|
+
\t\tSifts through your log files in real time, using stateful intelligence to determine\n\
|
|
36
40
|
\t\twhat is really important. REC can alert you (by email or IM) or it can simply condense\n\
|
|
37
41
|
\t\ta large log file into a much shorter and more meaningful log.\n\
|
|
38
42
|
\t\tREC is inspired by Risto Vaarandi's brilliant *sec* (simple-evcorr.sourceforge.net)\n\
|