rsyslog in yml
This commit is contained in:
parent
7a8dbb6456
commit
93ce462794
188
basics.yml
188
basics.yml
@ -430,13 +430,191 @@
|
|||||||
notify:
|
notify:
|
||||||
- Restart rsyslog
|
- Restart rsyslog
|
||||||
|
|
||||||
- name: rsyslog-config local
|
- name: /etc/rsyslog.d/01-services-local.conf
|
||||||
copy:
|
blockinfile:
|
||||||
src: configs/etc/rsyslog.d/01-services-local.conf
|
path: /etc/rsyslog.d/00-services-remote.conf
|
||||||
dest: /etc
|
create: yes
|
||||||
|
mode: "0444"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0444"
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||||
|
block: |
|
||||||
|
# Additional Socket from chroot
|
||||||
|
input(type="imuxsock" HostName="vpn-share" Socket="/data-crypt/dev/log" CreatePath="on")
|
||||||
|
input(type="imuxsock" HostName="share" Socket="/data-crypt/share/dev/log" CreatePath="on")
|
||||||
|
# Auth success (for share-auth 2FA)
|
||||||
|
if $programname == 'nextcloud-audit' and $msg contains 'Login successful:' then /var/log/auth-success.log
|
||||||
|
if $programname == 'imaps' and $msg contains 'TLS User logged in' then /var/log/auth-success.log
|
||||||
|
# Nextcloud
|
||||||
|
if $msg contains '","level":0,"time":"' and $programname contains 'nextcloud' then stop
|
||||||
|
if $msg contains '","level":1,"time":"' and $programname contains 'nextcloud' then stop
|
||||||
|
if $programname == 'nextcloud' then /var/log/nextcloud.log
|
||||||
|
if $programname == 'nextcloud' then stop
|
||||||
|
if $programname == 'nextcloud-audit' then /var/log/nextcloud.log
|
||||||
|
if $programname == 'nextcloud-audit' then stop
|
||||||
|
if $programname == 'nextcloud-test' then /var/log/nextcloud-test.log
|
||||||
|
if $programname == 'nextcloud-test' then stop
|
||||||
|
if $programname == 'nextcloud-test-audit' then /var/log/nextcloud-test.log
|
||||||
|
if $programname == 'nextcloud-test-audit' then stop
|
||||||
|
# USV
|
||||||
|
if $programname == 'apcupsd' and $syslogseverity <= '6' then /var/log/usv-apcupsd.log
|
||||||
|
if $programname == 'apcupsd' then stop
|
||||||
|
# SMART HDD Überwachung
|
||||||
|
if $programname == 'smartd' and $syslogseverity <= '6' then /var/log/smartd.log
|
||||||
|
if $programname == 'smartd' then stop
|
||||||
|
# SSH TUNNEL
|
||||||
|
if $programname == 'sshd-tunnel' and $syslogseverity <= '6' then /var/log/sshd-tunnel.log
|
||||||
|
if $programname == 'sshd-tunnel' then stop
|
||||||
|
# SSH SFTP
|
||||||
|
if $programname == 'sshd-sftp' and $syslogseverity <= '6' then /var/log/sshd-sftp.log
|
||||||
|
if $programname == 'sshd-sftp' then stop
|
||||||
|
# SSH Share
|
||||||
|
if $programname == 'sshd' and $syslogfacility-text == 'local7' then /var/log/sshd-share.log
|
||||||
|
if $programname == 'sshd' and $syslogfacility-text == 'local7' then stop
|
||||||
|
# firewall
|
||||||
|
if $programname == 'kernel' and $msg contains 'PROTO' then /var/log/firewall.log
|
||||||
|
if $programname == 'kernel' and $msg contains 'PROTO' then stop
|
||||||
|
# SSH rsyncbackup
|
||||||
|
if $programname == 'sshd-rsyncbackup' and $syslogseverity <= '6' then /var/log/sshd-rsyncbackup.log
|
||||||
|
if $programname == 'sshd-rsyncbackup' then stop
|
||||||
|
# SSH
|
||||||
|
if $programname == 'sshd' and $syslogseverity <= '6' then /var/log/sshd.log
|
||||||
|
if $programname == 'sshd' then stop
|
||||||
|
# SFTP
|
||||||
|
if $programname == 'internal-sftp' and $msg contains 'sent status ' then stop
|
||||||
|
if $programname == 'internal-sftp' and $msg contains 'lstat name ' then stop
|
||||||
|
if $programname == 'internal-sftp' and $msg contains '/.kodi/' then stop
|
||||||
|
if $programname == 'internal-sftp' then /var/log/sftpaccess.log
|
||||||
|
if $programname == 'internal-sftp' then stop
|
||||||
|
# Cron
|
||||||
|
if $programname == 'cron' and $syslogseverity <= '6' then /var/log/cron.log
|
||||||
|
if $programname == 'cron' then stop
|
||||||
|
if $programname == 'run-crons' and $syslogseverity <= '6' then /var/log/cron.log
|
||||||
|
if $programname == 'run-crons' then stop
|
||||||
|
if $programname == 'crontab' and $syslogseverity <= '6' then /var/log/cron.log
|
||||||
|
if $programname == 'crontab' then stop
|
||||||
|
# rsync
|
||||||
|
if $programname == 'rsyncd' and $syslogseverity <= '6' then /var/log/rsyncd.log
|
||||||
|
if $programname == 'rsyncd' then stop
|
||||||
|
# DNS
|
||||||
|
if $programname == 'named' and $msg contains ' 127.0.0.1#' then stop
|
||||||
|
if $programname == 'named' and $msg contains ': sending notifies' then stop
|
||||||
|
if $programname == 'named' and $msg contains ' loaded serial ' then stop
|
||||||
|
if $programname == 'named' and $syslogseverity <= '6' then /var/log/bind.log
|
||||||
|
if $programname == 'named' then stop
|
||||||
|
# DHCP
|
||||||
|
if $programname == 'dhcpd' and $syslogseverity <= '6' then /var/log/dhcpd.log
|
||||||
|
if $programname == 'dhcpd' then stop
|
||||||
|
# NFS
|
||||||
|
if $programname == 'rpc.mountd' and $syslogseverity <= '6' then /var/log/nfs.log
|
||||||
|
if $programname == 'rpc.mountd' then stop
|
||||||
|
if $programname == 'rpc.idmapd' and $syslogseverity <= '6' then /var/log/nfs.log
|
||||||
|
if $programname == 'rpc.idmapd' then stop
|
||||||
|
if $programname == 'rpc.statd' and $syslogseverity <= '6' then /var/log/nfs.log
|
||||||
|
if $programname == 'rpc.statd' then stop
|
||||||
|
if $programname == 'rpcbind' and $syslogseverity <= '6' then /var/log/nfs.log
|
||||||
|
if $programname == 'rpcbind' then stop
|
||||||
|
# NTP
|
||||||
|
if $programname == 'ntpd' and $syslogseverity <= '6' then /var/log/ntp.log
|
||||||
|
if $programname == 'ntpd' then stop
|
||||||
|
if $programname == 'ntpdate' and $syslogseverity <= '6' then /var/log/ntp.log
|
||||||
|
if $programname == 'ntpdate' then stop
|
||||||
|
# Mail
|
||||||
|
if $msg contains 'auxpropfunc error invalid parameter supplied' then stop
|
||||||
|
if $msg contains '_sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb' then stop
|
||||||
|
if $msg contains 'seen_db: user ' then stop
|
||||||
|
if $msg contains 'SQUAT ' then stop
|
||||||
|
if $msg contains 'indexing mailbox ' then stop
|
||||||
|
if $msg contains 'fetching user_deny.db' then stop
|
||||||
|
if $programname == 'lmtpunix' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'lmtpunix' then stop
|
||||||
|
if $programname == 'imap' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'imap' then stop
|
||||||
|
if $programname == 'imaps' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'imaps' then stop
|
||||||
|
if $programname == 'master' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'master' then stop
|
||||||
|
if $programname == 'ctl_cyrusdb' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'ctl_cyrusdb' then stop
|
||||||
|
if $programname == 'pop3' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'pop3' then stop
|
||||||
|
if $programname == 'pop3s' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'pop3s' then stop
|
||||||
|
if $programname == 'squatter' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'squatter' then stop
|
||||||
|
if $programname == 'tls_prune' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'tls_prune' then stop
|
||||||
|
if $programname == 'cyr_expire' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'cyr_expire' then stop
|
||||||
|
if $programname == 'sieve' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'sieve' then stop
|
||||||
|
if $programname == 'deliver' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'deliver' then stop
|
||||||
|
if $programname == 'ipurge' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'ipurge' then stop
|
||||||
|
if $programname == 'saslauthd' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'saslauthd' then stop
|
||||||
|
if $programname == 'amavis' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'amavis' then stop
|
||||||
|
if $programname == 'clamd' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'clamd' then stop
|
||||||
|
if $programname == 'freshclam' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'freshclam' then stop
|
||||||
|
if $programname == 'fetchmail' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'fetchmail' then stop
|
||||||
|
if $programname == 'spamd' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'spamd' then stop
|
||||||
|
if $programname contains 'postfix' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname contains 'postfix' then stop
|
||||||
|
if $programname == 'reconstruct' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'reconstruct' then stop
|
||||||
|
if $programname == 'policyd-spf' and $syslogseverity <= '6' then /var/log/maillog.log
|
||||||
|
if $programname == 'policyd-spf' then stop
|
||||||
|
# slapd
|
||||||
|
if $programname == 'slapd' then /var/log/slapd.log
|
||||||
|
if $programname == 'slapd' then stop
|
||||||
|
# PulseAudio
|
||||||
|
if $programname == 'pulseaudio' and $msg contains 'Denied access to client with invalid authentication data' then stop
|
||||||
|
if $programname == 'pulseaudio' then /var/log/pulseaudio.log
|
||||||
|
if $programname == 'pulseaudio' then stop
|
||||||
|
# hostapd
|
||||||
|
if $programname == 'hostapd' then /var/log/hostapd.log
|
||||||
|
if $programname == 'hostapd' then stop
|
||||||
|
# nscd
|
||||||
|
if $programname == 'nscd' then /var/log/nscd.log
|
||||||
|
if $programname == 'nscd' then stop
|
||||||
|
# arpwatch
|
||||||
|
if $programname == 'arpwatch' then /var/log/arpwatch.log
|
||||||
|
if $programname == 'arpwatch' then stop
|
||||||
|
# X
|
||||||
|
if $programname == 'mate-session' then /var/log/x.log
|
||||||
|
if $programname == 'mate-session' then stop
|
||||||
|
if $programname == 'Tor' then /var/log/x.log
|
||||||
|
if $programname == 'Tor' then stop
|
||||||
|
# xinetd
|
||||||
|
if $programname == 'xinetd' then /var/log/xinetd.log
|
||||||
|
if $programname == 'xinetd' then stop
|
||||||
|
# in.tftp
|
||||||
|
if $programname == 'in.tftpd' then /var/log/in.tftpd.log
|
||||||
|
if $programname == 'in.tftpd' then stop
|
||||||
|
# pppd
|
||||||
|
if $programname == 'dhcpcd' then /var/log/pppd.log
|
||||||
|
if $programname == 'dhcpcd' then stop
|
||||||
|
if $programname == 'radvd' then /var/log/pppd.log
|
||||||
|
if $programname == 'radvd' then stop
|
||||||
|
if $programname == 'pppd' then /var/log/pppd.log
|
||||||
|
if $programname == 'pppd' then stop
|
||||||
|
# wlan
|
||||||
|
if $programname == 'wpa_cli' then /var/log/messages
|
||||||
|
if $programname == 'wpa_cli' then stop
|
||||||
|
# cups
|
||||||
|
if $programname == 'cupsd' then /var/log/cupsd.log
|
||||||
|
if $programname == 'cupsd' then stop
|
||||||
|
# bash scripts using g-lib
|
||||||
|
if $programname contains 'g_bash-script' then /var/log/g_bash-scripts.log
|
||||||
|
if $programname contains 'g_bash-script' then stop
|
||||||
|
# Rest in messages
|
||||||
|
*.* /var/log/messages
|
||||||
backup: yes
|
backup: yes
|
||||||
notify:
|
notify:
|
||||||
- Restart rsyslog
|
- Restart rsyslog
|
||||||
|
Loading…
Reference in New Issue
Block a user