# # from http://sixshooter.v6.thrupoint.net/SEC-examples/article.html # # SEC rules to pick up disruptive monitoring # events. # #Logs involving syslogd disabled or unusual promiscuous mode (MONITOR) #---------------------------------------------------------------------- #Nov 15 20:02:48 foohost syslogd: exiting on signal 15 #Nov 22 02:00:02 foohost syslogd: restart #Nov 11 15:58:55 foohost /kernel: de0: promiscuous mode enabled #Nov 11 15:58:57 foohost /kernel: de0: promiscuous mode disabled # # # Syslog Exit # ----------- # type=Single ptype=RegExp pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+syslogd: exiting on signal (\d+) desc=$0 action=write - MONITOR: $1 syslog exit on signal $2 at %t # # Syslog Restart # --------------- # type=Single ptype=RegExp pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+syslogd: restart desc=$0 action=write - MONITOR: $1 syslog restart at %t # # Syslog Exit # ----------- # type=Single ptype=RegExp pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: (\S+) promiscuous mode (\S+) desc=$0 action=write - MONITOR: $1 $2 promiscuous mode $3 at %t # # Swapspace failure # type=Single ptype=RegExp pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+kernel: swap_pager_getswapspace\(\S\): .* desc=$0 action=pipe '$1 GET SWAP FAILURE: %s' /usr/bin/mail -s "SWAP SPACE FAIL on $1" alerts@yourdomain.com