sebres
2ba9fee79f
Merge branch 'master' into debian
2024-04-25 23:54:22 +02:00
sebres
2c13cba73d
loosening for denied suffix (would match no matter which reason in parenthesis);
...
add coverage for denied with "(allow-query-cache did not match)"
2024-03-25 16:35:20 +01:00
Rudimar Remontti
fd7657f9a9
Update named-refused.conf
2024-03-25 16:35:16 +01:00
sebres
1ec9237e53
bypass additional pid in prefix (may be logged by syslog-ng, gh-3060); matches protocol error with authentication mechanism not supported
2024-03-25 15:52:06 +01:00
sebres
c80908837f
`filter.d/exim.conf`:
...
- messages are prefiltered by `prefregex` now
- filter can bypass additional timestamp that may be logged via systemd-journal (gh-3060)
2024-03-25 15:31:23 +01:00
Vladimir Varlamov
8da0a99cde
pid part may contain full hostname
2024-03-22 22:38:33 +03:00
Vladimir Varlamov
806a27cb4f
final `<HOST>` to `<ADDR>` conversion
2024-03-22 22:38:33 +03:00
sebres
e605415f61
simplify fields-group a bit (everything up to 4 chars long but H), so it'll be faster (no multiple branches) as well as would theoretically accept future enhancements of logged fields.
2024-03-22 16:47:54 +01:00
sebres
c22a83933b
let's use `<ADDR>` instead `<HOST>` - only IPs expected, since host-name bypassed before it (directly after H=)
2024-03-22 16:35:46 +01:00
Vladimir Varlamov
df94ec4c52
filter.d/exim.conf: rewrite host line regex for all varied exim's log_selector states
...
Depending on Exim's log_selector settings, log lines may contain additional information about the connection. And also the line itself with the address of the remote host can vary greatly. But fortunately, all states can be found in the Exim code itself and taken into account. Makes it easier to add new regexps.
Closes #3263
2024-03-22 00:16:41 +03:00
Anton Samets
0c125ec9c9
filter.d/postfix.conf: add Sender address rejected: Malformed DNS server reply ( #3590 )
...
* add Sender address rejected: Malformed DNS server reply
2024-03-19 20:30:45 +01:00
Sergey G. Brester
f63868b3e8
filter.d/apache-common.conf: remote besides client, gh-3622
2024-03-15 22:36:40 +01:00
Sergey G. Brester
529eb79ddb
Merge pull request #3692 from pingou2712/postfixSystemd
...
Change journalmatch postfix
2024-03-13 02:34:03 +01:00
Vincent Laffargue
d260ed31d2
Maintain backward compatibility Postfix SYSTEMD_UNIT
2024-03-12 04:42:36 +01:00
Sergey G. Brester
dd3c78ecab
filter.d/recidive.conf: conditional RE depending on logtype (for file or journal)
2024-03-11 17:49:06 +01:00
Vincent Laffargue
0b63fc312d
Change Regex Recidive and journalmatch For Systemd Match
2024-03-10 10:56:35 +01:00
Vincent Laffargue
93082ead79
Change journalmatch postfix
2024-03-10 10:10:03 +01:00
Sergey G. Brester
45d7f3cb97
no space in any case
2024-03-08 11:43:46 +01:00
László Károlyi
ff701e94c3
Add to postfix syslog daemon format
2024-03-07 20:23:50 +01:00
sebres
4f679a56e0
filter.d/sshd.conf: ddos/aggressive mode extended to match new messages caused by port scanner, wrong payload on ssh port:
...
- message authentication code incorrect [preauth]
- connection corrupted [preauth]
- timeout before authentication
closes gh-3486
2024-02-13 16:53:21 +01:00
sebres
3190febb27
IPv6 fix (second IP logged in form for IPv6); pam authentication failure (part of gh-3410)
2023-12-30 15:10:37 +01:00
sebres
093cd763ce
filter.d/postfix.conf: "rejected" extended to match "Access denied" too;
...
closes gh-3474
2023-12-15 01:03:30 +01:00
sebres
ff4a2a12fc
filter.d/postfix.conf: avoid double counting ('lost connection after AUTH' together with message 'disconnect ...');
...
closes gh-3505
2023-12-15 00:32:48 +01:00
sebres
0abba5dc6e
more filters for nginx error-log supporting journal format now, added generalized include and __prefix_line
2023-12-10 15:21:20 +01:00
sebres
b245225b13
filter.d/nginx-http-auth.conf: added optional prefix to support systemd-journal format and additional timestamp (optionally) in prefix
2023-12-10 14:39:21 +01:00
Yaroslav Halchenko
8ef0d3c7a9
[DATALAD RUNCMD] run codespell throughout fixing typo automagically
...
=== Do not change lines below ===
{
"chain": [],
"cmd": "codespell -w",
"exit": 0,
"extra_inputs": [],
"inputs": [],
"outputs": [],
"pwd": "."
}
^^^ Do not change lines above ^^^
2023-11-18 10:04:04 -05:00
Yaroslav Halchenko
81b2eb32d6
Add pragma to ignore a codespell-detected typoin postfix.conf
2023-11-18 10:03:50 -05:00
Sergey G. Brester
eed319e896
gh-3604: filter.d/slapd.conf - switched to single-line processing
...
closes gh-3604
2023-10-18 16:06:56 +02:00
Sergey G. Brester
183f805ae3
amend
2023-10-16 11:41:05 +02:00
Sergey G. Brester
7931b67325
mysqld-auth.conf: better RE, optional suffix, non-capturing groups
2023-10-16 11:35:53 +02:00
Aliaksandr Yurchyk
c55e9949dc
Fix issue with Mariadb 10.3 failed message
2023-10-16 01:35:15 +03:00
Sergey G. Brester
f8f8c046a2
Merge pull request #3469 from vitkabele/routeros-auth
...
New filter: routeros-auth.conf
2023-09-02 18:56:04 +02:00
sebres
eebef0089c
avoid double counting for "maximum authentication attempts exceeded" ("Disconnecting ..." is no failure anymore, now it's helper only);
...
closes gh-3485
2023-06-13 18:49:26 +02:00
Sergey G. Brester
809b904106
filter.d/exim.conf: fixes "dropped: too many ..." regex and also matches unrecognized commands new vector
2023-04-24 15:40:53 +02:00
Sergey G. Brester
9cbf59c827
anchored datepattern and added journalmatch (if monitoring systemd journal)
2023-03-23 12:16:13 +01:00
Sergey G. Brester
2c0360d178
Merge branch 'master' into nginx-forbidden
2023-03-23 12:01:50 +01:00
Vít Kabele
a2c77429b9
New filter: routeros-auth.conf ( Closes #3469 )
...
Add filter to detect failed login attempts in the log produced by
MikroTik RouterOS.
- Add the filter to jail.conf
- Add testcase for the filter
Signed-off-by: Vít Kabele <vit@kabele.me>
2023-03-02 09:25:24 +01:00
Sergey G. Brester
efbbcb41ea
non capturing group
2022-11-18 12:32:15 +01:00
Sergey G. Brester
996553f330
review, simplify regex and capture user name
2022-11-18 12:31:11 +01:00
Andrey Alekseenko
df91b047d2
Dante SOCKS server: handle "1 byte/second" case
...
Thanks to @Loriowar and @sebres for pointing it out
2022-11-17 23:22:56 +01:00
Andrey Alekseenko
05c162ef10
Create filter for Dante SOCKS server
2022-11-17 23:22:55 +01:00
Sergey G. Brester
ae5fe2e003
amend to #3405 , eliminate catch-all
2022-11-15 14:29:59 +01:00
sebres
cbb097a2b3
small amend (non capturing group)
2022-11-14 18:56:01 +01:00
sebres
82506f0586
filter.d/selinux-ssh.conf, filter.d/selinux-common.conf: fixes #3405 (new format with GS and additional parameters, e. g. grantors)
2022-11-14 18:51:06 +01:00
sebres
a349a5ce11
Merge branch 'upstream/master' (1.0.2) into upstream/debian
2022-11-09 17:18:01 +01:00
sebres
d8e2b03a24
`filter.d/named-refused.conf` extended (closes gh-3388):
...
- support BIND named log categories
- allow `info:` as possible error prefix too ("query (cache) denied" may occur as info)
2022-11-03 11:41:21 +01:00
sebres
ca2b94c522
fixes gh-3370: resolve extremely long search by repeated apply of non-greedy RE `(?:: (?:[^\(]+|\w+\([^\)]*\))+)?` with following branches (it may be extremely slow up to infinite search depending on message); added new regression tests
...
amend to gh-3210: fixes regression and matches new format in aggressive mode too
2022-10-04 14:10:45 +02:00
sebres
c0b41c6f8e
Merge branch 'upstream/master' (1.0.1) into upstream/debian
2022-09-27 18:51:58 +02:00
sebres
a08b925468
Merge branch '0.11'
2022-08-17 16:59:02 +02:00
Sergey G. Brester
514cca9ade
filter.d/sendmail-auth.conf: detect failures without user part
2022-08-01 09:20:28 +02:00