-
Notifications
You must be signed in to change notification settings - Fork 0
Execution of arbitrary commands based on frequency of observed events from multiple sources.
License
mikey-austin/mousetrapd
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
mousetrapd mousetrapd - Log monitoring and active response daemon SYNOPSIS mousetrapd [options] Options: --daemon start as a daemon --user=<user> user to setuid to --group=<group> group to setgid to --pidfile=<pidfile> location of the pidfile --config=<config> path to configuration file --help print help and exit --version print version and exit DESCRIPTION This program monitors multiple file sources as specified in the configuration file and executes arbitrary actions based on the frequency of observer "events". An event is a captured string extracted out of a line from a log file. For example, if the following source was configured in the mousetrapd configuration file: my_iptables_source: { file: '/var/log/kern.log', pattern: 'audit out smtp .+ UID=(\d+)', index: 0, action: 'iptables -A OUTPUT -m owner --uid-owner %L -j DROP' } a unique match of the value of the group above (ie \d+) is considered an event. So to illustrate further, if the following line was observed in /var/log/kern.log with the configured "pattern" above: IPTABLES - audit out smtp IN= OUT=eth0 ... UID=12333 ... the "event" is considered an occurance of "12333". A limit of event occurances per time period is configured, along with a threshold. If a particular event exceeds this limit, an arbitrary command configured against the source is executed, with '%L' substituted for the event. In the example above, the following command would be executed: iptables -A OUTPUT -m owner --uid-owner 12333 -j DROP SIGNALS The mousetrapd daemon will catch the HUP signal, reload the configuration that the daemon was started with, and restart all source watcher child processes. AUTHOR Mikey Austin, <[email protected]> COPYRIGHT AND LICENSE Copyright (C) 2014 Mikey Austin <[email protected]> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
About
Execution of arbitrary commands based on frequency of observed events from multiple sources.
Resources
License
Stars
Watchers
Forks
Packages 0
No packages published