crowdsec/config/detect.yaml

483 lines
8.4 KiB
YAML
Raw Permalink Normal View History

---
version: 1.0
# TODO: This file must be reviewed before the `cscli setup` command becomes GA
detect:
#
# crowdsecurity/apache2
#
# XXX some distro is using this path?
# - /var/log/*http*/*.log
apache2-systemd-deb:
when:
- UnitFound("apache2.service")
- PathExists("/etc/debian_version")
install:
collections:
- crowdsecurity/apache2
datasource:
source: file
filenames:
- /var/log/apache2/*.log
labels:
type: apache2
apache2-systemd-rpm:
when:
- UnitFound("httpd.service")
- PathExists("/etc/redhat-release")
install:
collections:
- crowdsecurity/apache2
datasource:
source: file
filenames:
- /var/log/httpd/*.log
# XXX /var/log/*http*/*.log
labels:
type: apache2
#
# crowdsecurity/asterisk
#
asterisk-systemd:
when:
- UnitFound("asterisk.service")
install:
collections:
- crowdsecurity/asterisk
datasource:
source: file
labels:
type: asterisk
filenames:
- /var/log/asterisk/*.log
#
# crowdsecurity/caddy
#
caddy-systemd:
when:
- UnitFound("caddy.service")
install:
collections:
- crowdsecurity/caddy
datasource:
source: file
labels:
type: caddy
filenames:
- /var/log/caddy/*.log
#
# crowdsecurity/dovecot
#
dovecot-systemd:
when:
- UnitFound("dovecot.service")
install:
collections:
- crowdsecurity/dovecot
datasource:
source: file
labels:
type: syslog
filenames:
- /var/log/mail.log
#
# LePresidente/emby
#
emby-systemd:
when:
- UnitFound("emby-server.service")
install:
collections:
- LePresidente/emby
datasource:
source: file
labels:
type: emby
filenames:
- /var/log/embyserver.txt
#
# crowdsecurity/endlessh
#
endlessh-systemd:
when:
- UnitFound("endlessh.service")
install:
collections:
- crowdsecurity/endlessh
datasource:
source: journalctl
labels:
type: syslog
# XXX this? or /var/log/syslog?
journalctl_filter:
- "_SYSTEMD_UNIT=endlessh.service"
#
# crowdsecurity/gitea
#
# XXX untested
gitea-systemd:
when:
- UnitFound("gitea.service")
install:
collections:
- crowdsecurity/gitea
datasource:
source: file
labels:
type: gitea
filenames:
- /var/log/gitea.log
#
# crowdsecurity/haproxy
#
haproxy-systemd:
when:
- UnitFound("haproxy.service")
install:
collections:
- crowdsecurity/haproxy
datasource:
source: file
labels:
type: haproxy
filenames:
- /var/log/haproxy/*.log
#
# firewallservices/lemonldap-ng
#
lemonldap-ng-systemd:
when:
- UnitFound("lemonldap-ng-fastcgi-server.service")
install:
collections:
- firewallservices/lemonldap-ng
#datasource:
# # XXX todo where are the logs?
# labels:
# type: syslog
#
# crowdsecurity/mariadb
#
mariadb-systemd:
when:
- UnitFound("mariadb.service")
install:
collections:
- crowdsecurity/mariadb
datasource:
source: file
labels:
type: mysql
filenames:
- /var/log/mysql/error.log
#
# crowdsecurity/mysql
#
mysql-systemd:
when:
- UnitFound("mysql.service")
install:
collections:
- crowdsecurity/mysql
datasource:
source: file
labels:
type: mysql
filenames:
- /var/log/mysql/error.log
#
# crowdsecurity/nginx
#
nginx-systemd:
when:
- UnitFound("nginx.service")
install:
collections:
- crowdsecurity/nginx
datasource:
source: file
labels:
type: nginx
filenames:
- /var/log/nginx/*.log
openresty-systemd:
when:
- UnitFound("openresty.service")
install:
collections:
- crowdsecurity/nginx
datasource:
source: file
labels:
type: nginx
filenames:
- /usr/local/openresty/nginx/logs/*.log
#
# crowdsecurity/odoo
#
odoo-systemd:
when:
- UnitFound("odoo.service")
install:
collections:
- crowdsecurity/odoo
datasource:
source: file
labels:
type: odoo
filenames:
- /var/log/odoo/*.log
#
# LePresidente/ombi
#
# This only works on deb-based systems. On other distributions, the
# application is run from the release tarball and the log location depends on
# the location it's run from.
ombi-systemd:
when:
- UnitFound("ombi.service")
- PathExists("/etc/debian_version")
install:
collections:
- LePresidente/ombi
datasource:
source: file
labels:
type: ombi
filenames:
- /var/log/ombi/log-*.txt
#
# crowdsecurity/pgsql
#
pgsql-systemd-deb:
when:
- UnitFound("postgresql.service")
- PathExists("/etc/debian_version")
install:
collections:
- crowdsecurity/pgsql
datasource:
source: file
labels:
type: postgres
filenames:
- /var/log/postgresql/*.log
pgsql-systemd-rpm:
when:
- UnitFound("postgresql.service")
- PathExists("/etc/redhat-release")
install:
collections:
- crowdsecurity/pgsql
datasource:
source: file
labels:
type: postgres
filenames:
- /var/lib/pgsql/data/log/*.log
#
# crowdsecurity/postfix
#
postfix-systemd:
when:
- UnitFound("postfix.service")
install:
collections:
- crowdsecurity/postfix
datasource:
source: file
labels:
type: syslog
filenames:
- /var/log/mail.log
#
# crowdsecurity/proftpd
#
proftpd-systemd:
when:
- UnitFound("proftpd.service")
install:
collections:
- crowdsecurity/proftpd
datasource:
source: file
labels:
type: proftpd
filenames:
- /var/log/proftpd/*.log
#
# fulljackz/pureftpd
#
pureftpd-systemd:
when:
- UnitFound("pure-ftpd.service")
install:
collections:
- fulljackz/pureftpd
# XXX ?
datasource:
source: file
labels:
type: syslog
filenames:
- /var/log/pure-ftpd/*.log
#
# crowdsecurity/smb
#
smb-systemd:
when:
# deb -> smbd.service
# rpm -> smb.service
- UnitFound("smbd.service") or UnitFound("smb.service")
install:
collections:
- crowdsecurity/smb
datasource:
source: file
labels:
type: smb
filenames:
- /var/log/samba*.log
#
# crowdsecurity/sshd
#
sshd-systemd:
when:
# deb -> ssh.service
# rpm -> sshd.service
- UnitFound("ssh.service") or UnitFound("sshd.service") or UnitFound("ssh.socket") or UnitFound("sshd.socket")
install:
collections:
- crowdsecurity/sshd
datasource:
source: file
labels:
type: syslog
filenames:
- /var/log/auth.log
- /var/log/sshd.log
- /var/log/secure
#
# crowdsecurity/suricata
#
suricata-systemd:
when:
- UnitFound("suricata.service")
install:
collections:
- crowdsecurity/suricata
datasource:
source: file
labels:
type: suricata-evelogs
filenames:
- /var/log/suricata/eve.json
#
# crowdsecurity/vsftpd
#
vsftpd-systemd:
when:
- UnitFound("vsftpd.service")
install:
collections:
- crowdsecurity/vsftpd
datasource:
source: file
labels:
type: vsftpd
filenames:
- /var/log/vsftpd/*.log
#
# Operating Systems
#
linux:
when:
- OS.Family == "linux"
install:
collections:
- crowdsecurity/linux
datasource:
source: file
labels:
type: syslog
filenames:
- /var/log/syslog
- /var/log/kern.log
- /var/log/messages
freebsd:
when:
- OS.Family == "freebsd"
install:
collections:
- crowdsecurity/freebsd
windows:
when:
- OS.Family == "windows"
install:
collections:
- crowdsecurity/windows
#
# anti-lockout
#
whitelists:
install:
parsers:
- crowdsecurity/whitelists