########################################################### ########################################################### # # EXAMPLES # # $Id: sec.conf,v 1.39 2004/03/26 15:18:46 root Exp $ # ########################################################### # # # WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! # # # You can't comment lines inside one of the blocks in this conf # file! If you comment out one action and add another just after # it, the whole block WON'T WORK! You'll have to leave it # after the block, with a space, and leave some comment about # where it belongs, or just delete it and rely on RCS. You *do* # use RCS don't you?!! # # You've been warned, comments don't work like you might expect # here. # # - Nate # # WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! # # ########################################################### # # Example 1 # # Consider the following rules: # #type=single #continue=takenext #ptype=regexp #pattern=([\w\d\.]+)\ssshd\[(\d+)\]:.*Connection from #desc=ssh session opened on host $1 - pid $2 #action=create sshd_$2_$1 # #type=single #continue=takenext #ptype=regexp #pattern=([\w\d\.]+)\ssshd\[(\d+)\]: #context=sshd_$2_$1 #desc=ssh session event for host $2 pid $1 #action=add sshd_$2_$1 $0; set sshd_$2_$1 1800 \ # (report sshd_$2_$1 /usr/bin/mail systems@wired.com) # #type=single #ptype=regexp #pattern=([\w\d\.]+)\ssshd\[(\d+)\]:.*Closing connection #desc=ftp session closed for $2 pid $1 #action=report sshd_$2_$1 /usr/bin/mail systems@wired.com; \ # delete sshd_$2_$1 # # First rule creates context with the name sshd__ when someone # connects from any host with ssh. The second rule adds all logfile lines that # are associated with the session to the event store of the context # sshd__ (before adding a line, the rule checks if the context # exists). After adding a line, the rule extends context's lifetime for 30 # minutes and sets the action list that will be executed when context times # out. The third rule mails collected logfile lines to systems@wired.com when # the session is closed. Collected lines will also be mailed when the # session has been inactive for 30 minutes (no logfile lines observed for # that session). # # Note that the logfile line that has matched the first rule will be passed to # the second rule and will become the first line in the event store (the first # rule has continue parameter set to TakeNext). The second rule has also # continue parameter set to TakeNext, since otherwise no logfile lines would # reach the third rule. # # # # Example 1.5 # type=SingleWithSuppress ptype=regexp pattern=[A-Z][a-z]{2}\s\s?\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+boomerang\s+cfservd(\[\d\])?:.*Logical start time desc=cfservd restarted on boomerang action=shellcmd /bin/echo '$0' | /usr/local/bin/mail.alert.sec systems@wired.com window=1800 #action=shellcmd /bin/echo '$0' | /usr/bin/mailx -s"%s" systems@wired.com # #type=SingleWithSuppress #ptype=regexp #pattern=[A-Z][a-z]{2}\s\s?\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+([\w\.\d]+)\s+([\w\d]+)(\[\d\])?:.*[Ee]rror #desc=Host $1 logging errors from program $2. #action=shellcmd /bin/echo '$0' | /usr/bin/mailx -s"%s" systems@wired.com #window=1800 # #type=SingleWithSuppress #ptype=regexp #pattern=[A-Z][a-z]{2}\s\s?\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+([\w\.\d]+)\s+scsi(\[\d\])?: #desc=Host $1 logging SCSI errors #action=shellcmd /bin/echo '$0' | /usr/bin/mailx -s"%s" systems@wired.com #window=1800 type=SingleWithSuppress ptype=regexp pattern=[A-Z][a-z]{2}\s\s?\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+([\w\.\d]+)\s+[\w\d]+(\[\d\])?:.*scsi desc=Host $1 logging SCSI messages action=shellcmd /bin/echo '$0' | /usr/local/bin/mail.alert.sec -s"%s" systems@wired.com window=1800 type=SingleWithSuppress ptype=regexp pattern=[A-Z][a-z]{2}\s\s?\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+([\w\.\d]+)\s+[\w\d]+(\[\d\])?:.*(\S+): [fF]ile system full desc=Filesystem $3 full on host $1 action=shellcmd /bin/echo '$0' | /usr/local/bin/mail.alert.sec -s"%s" systems@wired.com window=1800 type=SingleWithSuppress ptype=regexp pattern=[A-Z][a-z]{2}\s\s?\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+([\w\d\.]+)\s[\w\d]+(\[\d+\])?:.*No space left on device desc=Filesystem full on host: $1 action=shellcmd /bin/echo '$0' | /usr/local/bin/mail.alert.sec -s"$desc" systems@wired.com window=1800 # scsi errors # #unix: ASC: 0x16 (data sync mark error), ASCQ: 0x0, FRU: 0xd2 #unix: WARNING: /sbus@1f,0/QLGC,isp@0,10000/sd@0,0 (sd0): #Error for Command: read(10) Error Level: Fatal #unix: Requested Block: 7325368 Error Block: 7325372 #unix: Sense Key: Media Error #unix: ASC: 0x16 (data sync mark error), ASCQ: 0x0, FRU: 0xd2 # #watchfor /Sense Key: Media Error/ #watchfor /attackalert:/ #watchfor /\'su root\' failed/ #watchfor /SunOS Release/ type=SingleWithSuppress ptype=regexp pattern=[A-Z][a-z]{2}\s\s?\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+([\w\d\.]+)\s([\w\d]+)(\[\d+\])?:.*No space left on device desc=Filesystem full on host: $1 action=shellcmd /bin/echo '$0' | /usr/local/bin/mail.alert.sec -s"%s" systems@wired.com window=1800 type=SingleWithSuppress ptype=regexp pattern=[A-Z][a-z]{2}\s\s?\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+([\w\d\.]+)\s([\w\d]+)(\[\d+\])?:.*no swap space desc=Swap exhausted on host: $1 action=shellcmd /bin/echo '$0' | /usr/local/bin/mail.alert.sec -s"%s" systems@wired.com window=1800 type=SingleWithSuppress ptype=regexp pattern=[A-Z][a-z]{2}\s\s?\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+([\w\d\.]+)\s([\w\d]+)(\[\d+\])?:.*(Unable to connect to PageGenerator|attempt connecting to page generator failed) desc=StoryServer page generator trouble on host: $1 action=shellcmd /bin/echo '$0' | /usr/local/bin/mail.alert.sec -s"%s" systems@wired.com window=1800 # # /usr/local/bin/mail.alert.sec is the mail script, takes summary info on STDIN # Use it like: # /bin/echo '$0' | /usr/local/bin/mail.alert.sec systems@wired.com # type=SingleWithSuppress ptype=regexp pattern=[A-Z][a-z]{2}\s\s?\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+stunnel\s([\w\d]+)(\[\d+\])?:.*(Connection refused|warning|Received signal 15; terminating) desc=stunnel trouble on host: $1 action=shellcmd /bin/echo '$0' | /usr/local/bin/mail.alert.sec -s"%s" systems@wired.com window=1800 type=SingleWithSuppress ptype=regexp pattern=[A-Z][a-z]{2}\s\s?\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+([\w\d\.]+)\s([\w\d]+)(\[\d+\])?:.*rejected due to errors desc=BIND trouble on host: $1 action=shellcmd /bin/echo '$0' | /usr/local/bin/mail.alert.sec -s"%s" systems@wired.com window=1800 type=SingleWithSuppress ptype=regexp pattern=[A-Z][a-z]{2}\s\s?\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+([\w\d\.]+)\s([\w\d]+)(\[\d+\])?:.*out of inodes desc=Out of inodes on host: $1 action=shellcmd /bin/echo '$0' | /usr/local/bin/mail.alert.sec -s"%s" systems@wired.com window=1800 # # # Example 2 # # Suppose there is a backup job in your system that runs at 2AM every night and # logs "BACKUP READY" message when it has completed its work. You want to send # SNMP trap if there is no message in the log by 2:15AM. # # #type=Calendar time=59 1 * * * desc=WAITING FOR BACKUP action=event %s # #type=PairWithWindow #ptype=SubStr #pattern=WAITING FOR BACKUP #desc=Backup not ready! #action=shellcmd sendtrap.sh "%s" #ptype2=SubStr #pattern2=BACKUP READY #desc2=Backup ready #action2=none #window=960 # # The first rule generates "WAITING FOR BACKUP" event every night at 1:59AM. # This event is matched by the second rule, which starts a correlation # operation that will wait for "BACKUP READY" event for the next 16 minutes. If # the event arrives on time, no action is executed, otherwise sendtrap.sh # "Backup not ready!" is called. # # # # # Example 3 # # Consider the following rules: # #type=SingleWithScript #ptype=RegExp #pattern=node (\S+) interface (\S+) down #script=not_resp.sh $2 #desc=NODE $1 IF $2 DOWN #action=event %s # #type=Pair #ptype=RegExp #pattern=NODE (\S+) IF (\S+) DOWN #desc=Interface $2 is down at node $1 #action=shellcmd notify.sh "%s" #ptype2=SubStr #pattern2=node $1 interface $2 up #desc2=Interface $2 is up at node $1 #action2=shellcmd notify.sh "%s" #window=86400 # # If "node interface down" event is observed, the interface # is checked with not_resp.sh script. If the interface is found to be down # (not_resp.sh returns 0 as its exit code), event "NODE IF # DOWN" is generated, which will be matched by the second rule. The second rule # starts a correlation operation that calls notify.sh "Interface is # down at node " and then waits for the "node interface # up" event for the next 24 hours. When that event is observed, the # correlation operation calls notify.sh "Interface is up at node # " and terminates. # # # # # # Example 4 # # Suppose you have a disk box that logs following error messages: # # Description of Error: # # Disk drive (CRU: A1) has failed and can no longer be accessed. (SP Event Code # 0xA07) # # Probable Cause / Recommended Action: # # Replace the disk module (CRU: A1). # # You would like to receive an e-mail message if something happens to the disk # box. You would like to use different e-mail address at night-time and also # receive a report of all night events. The problem here is that useful # information is scattered over 7 lines and needs to be consolidated into # single event. Consider the following rules to accomplish this task: # # #type=Calendar #time=0 22 * * * #desc=night #action=create %s 36000 \ # (report %s /usr/bin/mail root@localhost) # #type=Single #ptype=RegExp7 #pattern=Description of Error:\n.*\n(.+)\n.*\n.*\n.*\n(.+) #context=night #desc=Error=$1 Recmnd=$2 #action=shellcmd nightalarm.sh "%s"; add night %s # #type=Single #ptype=RegExp7 #pattern=Description of Error:\n.*\n(.+)\n.*\n.*\n.*\n(.+) #desc=Error=$1 Recmnd=$2 #action=shellcmd alarm.sh "%s" # # First rule creates context night with the lifetime of 10 hours every day at # 10PM. The second rule specifies that script nightalarm.sh must be used for # sending alert messages at nights, otherwise script alarm.sh should be used. # Every night-time event is added to context night, and collected events will # be mailed to root@localhost at 8AM. Example 5 You have configured your # syslog daemon to produce an input file for sec, but you would also like to # monitor an application that does not use syslog(3) to produce its logfile. # Consider the following rule: # #type=Calendar #time=* * * * * #context=!APP_LOG_MON_IS_RUNNING #desc=start APP_LOG monitoring #action=spawn /usr/bin/tail -f /var/log/app.log; \ # create APP_LOG_MON_IS_RUNNING # # This rule will start to monitor /var/log/app.log when sec is started, by # turning 'tail -f' output into sec events. When /var/log/app.log is recreated, # don't forget to send SIGHUP to sec, since this will force sec to delete the # context APP_LOG_MON_IS_RUNNING and terminate the existing 'tail -f', so that # a new instance of 'tail -f' can be started for the new i-node. # # Example 6 # # This section presents an example rulebase for managing Cisco devices. It is # assumed that the managed devices have syslog(3)-style logging enabled, and # that all syslog messages are sent to a central host and written to a common # logfile that serves as an input for sec. # # Set up contexts NIGHT and WEEKEND for nights # and weekends. Context NIGHT has a lifetime # of 8 hours and context WEEKEND 2 days # #type=Calendar #time=0 23 * * * #desc=NIGHT #action=create %s 28800 # #type=Calendar #time=0 0 * * 6 #desc=WEEKEND #action=create %s 172800 # # If a router does not come up within 5 minutes # after it was rebooted, generate event # " REBOOT FAILURE". The next rule matches # this event, checks the router with ping and sends # a notification if there is no response. # #type=PairWithWindow #ptype=RegExp #pattern=(\S+) \d+: %SYS-5-RELOAD #desc=$1 REBOOT FAILURE #action=event %s #ptype2=RegExp #pattern2=($1) \d+: %SYS-5-RESTART #desc2=$1 successful reboot #action2=logonly #window=300 # #type=SingleWithScript #ptype=RegExp #pattern=(\S+) REBOOT FAILURE #script=not_responding.sh $1 #desc=$1 did not come up after reboot #action=shellcmd notify.sh "%s" # # Send a notification if CPU load of a router is too # high (two CPUHOG messages are received within 5 # minutes); send another notification if the load is # normal again (no CPUHOG messages within last 15 # minutes). Rule is not applied at night or weekend. # #type=SingleWith2Thresholds #ptype=RegExp #pattern=(\S+) \d+: %SYS-3-CPUHOG #context=!(NIGHT || WEEKEND) #desc=$1 CPU overload #action=shellcmd notify.sh "%s" #window=300 #thresh=2 #desc2=$1 CPU load normal #action2=shellcmd notify.sh "%s" #window2=900 #thresh2=0 # # If a router interface is in down state for less # than 15 seconds, generate event # " INTERFACE SHORT OUTAGE"; # otherwise generate event # " INTERFACE DOWN". # #type=PairWithWindow #ptype=RegExp #pattern=(\S+) \d+: %LINK-3-UPDOWN: Interface (.+), changed state to down #desc=$1 INTERFACE $2 DOWN #action=event %s #ptype2=RegExp #pattern2=($1) \d+: %LINK-3-UPDOWN: Interface ($2), changed state to up #desc2=$1 INTERFACE $2 SHORT OUTAGE #action2=event %s #window=15 # # If " INTERFACE DOWN" event is # received from previous rule, send a notification and # wait for "interface up" event for the next 24 hours # #type=Pair #ptype=RegExp #pattern=(\S+) INTERFACE (\S+) DOWN #desc=$1 interface $2 is down #action=shellcmd notify.sh "%s" #ptype2=RegExp #pattern2=($1) \d+: %LINK-3-UPDOWN: Interface ($2), changed state to up #desc2=$1 interface $2 is up #action2=shellcmd notify.sh "%s" #window=86400 # # If ten "short outage" events have been observed # in the window of 6 hours, send a notification # #type=SingleWithThreshold #ptype=RegExp #pattern=(\S+) INTERFACE (\S+) SHORT OUTAGE #desc=Interface $2 at node $1 is unstable #action=shellcmd notify.sh "%s" #window=21600 #thresh=10