### ### Generic UNIX messages (various platforms) ### $Id: unix.txt,v 1.1 2002/03/09 18:26:23 emf Exp $ ### # Syslog restarts. '^.{15,} (.*) syslogd.*restart' - - - 0 ignore '^.{15,} (.*) syslogd: exiting on signal (.*)' - - - 0 ignore 'last message repeated' - - - 0 ignore # This might come in handy as part of another context, but by itself # we don't generally care a whole lot. '^.{15,} (.*) identd\[.* Connection from (.*)' - - - 0 open "$3" - 5000 10800 1800 ignore ### cron jobs we know all about '.* CRON\[.*newsyslog.*' - - - 0 ignore '.* CRON\[.*adjkerntz.*' - - - 0 ignore '.* CRON\[.* \(root\) CMD .* /etc/(daily|weekly|monthly) .*' - - - 0 ignore '.* CRON\[.* \(root\) CMD .* periodic (daily|weekly|monthly) .*' - - - 0 ignore '.* anacron\[.* Updated timestamp for job .*' - - - 0 ignore ### ### CRON Messages ### '^.{15,} (.*) crontab\[(.*)\]: \((.*)\) BEGIN EDIT \((.*)\)' - - - 0 open "$2 crontab\\[$3\\]:" - 100 1800 300 ignore # replace only means they did something.. END will cancel the whole thing '^.{15,} (.*) crontab\[(.*)\]: \((.*)\) REPLACE \((.*)\)' - - - 0 rule before '^.{15,} (.*) crontab\[(.*)\]: \((.*)\) END EDIT \((.*)\)' - '.*' - 1800 report "/usr/local/bin/surfmailer -r root -S \"$5 crontab changed on $2 by $4\"" "$2 crontab\\[$3\\]:" '^.{15,} (.*) crontab\[(.*)\]: \((.*)\) END EDIT \((.*)\)' - - - 0 delete "$2 crontab\\[$3\\]:" # someone running crontab -l '^.{15,} (.*) crontab\[.* \((.*)\) LIST \((.*)\)' - - - 0 pipe "/usr/local/bin/surfmailer -r root -S \"User $3@$2 examined crontab for $4\"" # cron server on host $2, user $3 refreshed crontab $4 '^.{15,} (.*) cron\[.* \((.*)\) RELOAD \((.*)\)' - - - 0 pipe "/usr/local/bin/surfmailer -r root -S \"cron on $2 reloaded crontab $4\"" ### ### SU ### '^.{15,} (.*) sudo: (.*) : .* incorrect password.* : TTY=(.*) ; PWD=(.*) ; USER=(.*) ; COMMAND=(.*)' - - - 0 pipe "/usr/local/bin/surfmailer -r root -S \"failed sudo password by $3@$2\"" '.* sudo: (.*) : TTY=(.*) ; PWD=(.*) ; USER=(.*) ; COMMAND=(.*)' - - - 0 ignore '^.{15,} (.*) su: BAD SU (.*) to (.*) on (.*)' - - - 0 pipe "/usr/local/bin/surfmailer -r root -S \"failed su by $3@$2 to $4 on $5\"" '^.{15,} (.*) login: ROOT LOGIN \((.*)\) ON (.*)' - - - 0 pipe "/usr/local/bin/surfmailer -r root -S \"ROOT LOGIN on $2 $3 $4\"" '^.{15,} (.*) reboot: rebooted by (.*)' - - - 0 pipe "/usr/local/bin/surfmailer -r root -S \"$2 rebooted by $3\"" '^.{15,} (.*) halt: halted by (.*)' - - - 0 pipe "/usr/local/bin/surfmailer -r root -S \"$2 halted by $3\"" # login events '^.{15,} (.*) PAM_pwdb\[.*\]: \((.*)\) session opened for user (.*) by (.*)' - - - 0 ignore '^.{15,} (.*) PAM_pwdb\[.*\]: \((.*)\) session closed for user (.*)' - - - 0 ignore # This message doesn't give us much useful info by itself, but it alerts us # that there is more crap coming soon. '^.{15,} (.*) PAM_pwdb\[.*\]: check pass; user unknown' - - - 0 ignore # However, this is a useful message '^.{15,} (.*) login\[[0-9][0-9]*\]: FAILED LOGIN' - - - 0 pipe "/usr/local/bin/surfmailer -r root -S \"FAILED LOGIN on $2\"" '^.{15,} (.*) login: login on (.*) as (.*)' - - - 0 ignore ### System Boot Messages '^.{15,} (.*) /bsd: OpenBSD.*' - - - 0 open "$2" - 2500 600 180 report "/usr/local/bin/surfmailer -r root -S \"Boot Message from $2\"" "$2" '^.{15,} (.*) /kernel: (Copyright|FreeBSD)' - - - 0 open "$2" - 2500 600 180 report "/usr/local/bin/surfmailer -r root -S \"Boot Message from $2\"" "$2" '^.{15,} (.*) kernel: Unable to handle kernel NULL pointer dereference' - - - 0 open "$2" - 5000 600 180 report "/usr/local/bin/surfmailer -r root -S \"linux crash on $2\"" "$2" ### Printers '^.{15,} (.*) printer:' - - - 0 open "$2" - 1000 1800 300 report "/usr/local/bin/surfmailer -r root -S \"Printer message from $2\"" "$2" # Catch anything else that we haven't seen before. # This should be at the very bottom of your config file. # '^.{15} (\w+) .*' - - - 0 open "$2" - 5000 600 30 report "/usr/local/bin/surfmailer -r root -S \"Unknown Message from $2\"" "$2"