33 lines
942 B
Plaintext
33 lines
942 B
Plaintext
getfilename() !~ /^\/var\/log\/syslog\// {
|
|
stop
|
|
}
|
|
|
|
def syslog {
|
|
/(?P<date>(?P<legacy_date>\w+\s+\d+\s+\d+:\d+:\d+)|(?P<rfc3339_date>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d+[+-]\d{2}:\d{2}))/ +
|
|
/\s+(?:\w+@)?(?P<hostname>[\w\.-]+)\s+(?P<application>[\w\.-]+)(?:\[(?P<pid>\d+)\])?:\s+(?P<message>.*)/ {
|
|
# If the legacy_date regexp matched, try this format.
|
|
len($legacy_date) > 0 {
|
|
strptime($legacy_date, "Jan _2 15:04:05")
|
|
}
|
|
# If the RFC3339 style matched, parse it this way.
|
|
len($rfc3339_date) > 0 {
|
|
strptime($rfc3339_date, "2006-01-02T15:04:05-07:00")
|
|
}
|
|
# Call into the decorated block
|
|
next
|
|
}
|
|
}
|
|
|
|
counter syslog_loglines_total by application
|
|
counter ssh_invalid_user
|
|
|
|
@syslog {
|
|
syslog_loglines_total[$application]++
|
|
$application == "sshd" {
|
|
$message =~ /^Invalid user/ {
|
|
ssh_invalid_user++
|
|
}
|
|
}
|
|
}
|
|
|