Hacking Linux Exposed

About
Authors
Contents
Reviews
Foreword
Purchase

Articles
Books
Sourcecode
Tools
Errata

Home

 


(view this code in a separate window)

#
# Sample Swatch Rules
#
# These Swatch rules are tailored to flag ssh syslog
# entries in various colours depending on the severity.
#
# Copyright 2001, Bri Hatch
# Released under the GPL.


# Some patterns to ignore
ignore =        /log: Server listening on port \d+$/
ignore =        /log: Connection from .* port \d+$/
ignore =        /log: Generating new \d+ bit RSA key.$/
ignore =        /log: RSA key generation complete.$/
ignore =        /log: .* authentication for .* accepted.$/
ignore =        /log: Closing connection to/
ignore =        /fatal: Read error from remote host/
ignore =        /fatal: Connection closed by remote/
ignore =        /log: Wrong response to RSA authentication challenge./
ignore =        /fatal: Read from socket failed: Connection timed out./

# Highlight root logins we expect
watchfor =      /log: ROOT LOGIN as 'root' from trusted.example.com/
     echo magenta

# Warn big time for root logins we aren't expecting
watchfor =      /log: ROOT LOGIN/
     echo magenta_h
     bell 2
     mail root@localhost:reegen@localhost,subject=ROOT LOGIN ALERT
     write root:reegen
     exec /opt/bin/page_admins $0

# Forward/reverse mapping errors
watchfor =      /POSSIBLE BREAKIN ATTEMPT!/
     echo red

watchfor =      /fatal:/
     echo blue

# Make sure anything we don't explicitly ignore is logged in
# unobtrusive green. As we find new things that are important
# we'll make more rules for them.

watchfor =      /.*/
     echo green