Log Analyzer Settings (analyzer.toml)
By default, the settings from the log analyzer are located here:
/etc/kor-elf-shield/analyzer.toml
The path to these settings can be changed in the main settings and can be found here (parameter analyzer).
A copy of the full settings file is here.
There are several sections in this file:
- Password brute force protection
- Password brute force protection (group settings)
- Password brute force protection (setting up log analysis rules)
- Track authorizations
- Log analysis settings for notifications
- Analyzing logs for notifications (setting up groups)
- Log analysis for notification (setting up log analysis rules)
Password brute force protection
Specify the parameters for this section first [bruteForceProtection], and then specify the other parameters of this section. Example:
[bruteForceProtection]
enabled = true
notify = true
rate_limit_count = 5
blocking_time = 3600
blocking_time = 3600
rate_limit_reset_period = 86400
| Parameter | enabled |
| Meaning | true or false |
| By default | true |
| Description | Enables the password brute force tracking group. If disabled, password brute force tracking will not work. true - includes false - turns it off |
| Examples |
|
| Parameter | notify |
| Meaning | true or false |
| By default | true |
| Description | Enables notifications about blockages. If disabled, they will be displayed in the logs only at the level = "info". true - includes false - turns it off |
| Examples |
|
| Parameter | rate_limit_count |
| Meaning | from 1 |
| By default | 5 |
| Description | The maximum number of errors after which the lock will occur. |
| Examples |
|
| Parameter | blocking_time |
| Meaning | from 0 |
| By default | 3600 |
| Description | The time in seconds during which the IP address will be blocked. Specifying 0 will permanently block it. |
| Examples |
|
| Parameter | rate_limit_period |
| Meaning | from 1 |
| By default | 3600 |
| Description | Set a time interval to track login failures for seconds. |
| Examples |
|
| Parameter | rate_limit_reset_period |
| Meaning | from 0 |
| By default | 86400 |
| Description | We specify in seconds after which time to reset the IP data in the _default group if there were no events. If you specify 0, it will not reset. |
| Examples |
|
| Parameter | ssh_enable |
| Meaning | true or false |
| By default | true |
| Description | Enables password brute force protection from ssh. true - includes false - turns it off |
| Examples |
|
| Parameter | ssh_notify |
| Meaning | true or false |
| By default | true |
| Description | Enables lock notifications when password brute force protection is activated. If disabled, they will be displayed in the logs only at the level = "info". true - includes false - turns it off |
| Examples |
|
| Parameter | ssh_notify_cooldown_seconds |
| Meaning | From 0 |
| By default | 0 |
| Description | The minimum interval in seconds between notifications of successful SSH blocking. After sending the notification, no repeat notifications will be sent within the specified time. If you specify 0, the time limit for notifications will be disabled. |
| Examples |
|
| Parameter | ssh_notify_every |
| Meaning | From 0 |
| By default | 0 |
| Description | The number of successful SSH locks to skip after sending the notification. The next notification will be sent after the specified number of new lock messages. This parameter takes precedence over ssh_notify_cooldown_seconds. If you specify 0, the limit on the number of messages will be disabled. |
| Examples |
|
| Parameter | ssh_group |
| Meaning | Specify name groups from [[bruteForceProtection.groups]] |
| By default | |
| Description | You can specify your own group to link to other rules. |
| Examples |
|
Password brute force protection (group settings)
If you want to add your own groups. Specify the parameters for this section first [[bruteForceProtection.groups]], and then specify the other parameters of this section.
| Parameter | [[bruteForceProtection.groups]] |
| Meaning | We specify the group settings. |
| By default | |
| Description |
This is a group of settings to protect against password brute force. [[bruteForceProtection.groups]] You can specify an unlimited number of groups. |
| Examples |
Here we have indicated a few [[bruteForceProtection.groups.rate_limits]]. This means that after the temporary blocking, the IP address in this group will move to the next level [[bruteForceProtection.groups.rate_limits]]. Level 1 will work according to the rules that if an IP address has made 5 unsuccessful login attempts, where there was less than an hour between attempts, it will be blocked for 10 minutes. Only port 21 and will be blocked for this IP address TCP . UDP And the IP address will be moved to the next level. Level 2 will work according to the rules that if an IP address has made 3 unsuccessful login attempts, where there was less than an hour between attempts, it will be blocked for an hour. Only port 21 and will be blocked for this IP address TCP . UDP And the IP address will be moved to the next level. Level 3 will work according to the rules that if an IP address has made 2 unsuccessful login attempts, where there were less than 5 hours between attempts, it will be blocked for 10 hours. This time, all ports for this IP address are blocked. And the IP address will be moved to the next level. Since there is no 4th level, only the 3rd level will continue to be accepted for this IP address. But if there rate_limit_reset_period = 86400have been no unsuccessful authorizations from this IP address during the day (), then it will transfer to level 1 again. Another example:
|
Password brute force protection (setting up log analysis rules)
If you want to add your own settings to track failed logins. Specify the parameters for this section first [[bruteForceProtection.rules]], and then specify the other parameters of this section.
| Parameter | [[bruteForceProtection.rules]] |
| Meaning | We specify the settings of the rules for log analysis. |
| By default | |
| Description |
[[bruteForceProtection.rules]] You can specify an unlimited number of rules. |
| Examples |
Another example:
Another example: If you have a service that needs password protection, but the frequency of password selection attempts leads to numerous notifications, and you don't want to disable notifications completely, but still want to receive them from time to time, you can specify the notify_cooldown_seconds and/or notify_everyoptions.
We have specified notify_cooldown_seconds = 86400what it means that after receiving the blocking notification, we will no longer receive notifications from this rule for 86400 seconds. We also specified notify_every = 100what it means that after receiving the block notification, we will receive notifications again after 100 blocks. This means that we will receive the next notification either in 24 hours or in 100 blocks. |
Track authorizations
Specify the parameters for this section first [login], and then specify the other parameters of this section. Example:
[login]
enabled = true
notify = true
ssh_enable = true
ssh_notify = true
local_enable = true
local_notify = true
| Parameter | enabled |
| Meaning | true or false |
| By default | true |
| Description | Enables the authorization tracking group. If disabled, authorization tracking will not work. true - includes false - turns it off |
| Examples |
|
| Parameter | notify |
| Meaning | true or false |
| By default | true |
| Description | Enables authorization notifications. If disabled, they will be displayed in the logs only at the level = "info". true - includes false - turns it off |
| Examples |
|
| Parameter | ssh_enable |
| Meaning | true or false |
| By default | true |
| Description | Enables ssh authorization tracking. true - includes false - turns it off |
| Examples |
|
| Parameter | ssh_notify |
| Meaning | true or false |
| By default | true |
| Description | Enables ssh authorization notifications. If disabled, they will be displayed in the logs only at the level = "info". true - includes false - turns it off |
| Examples |
|
| Parameter | local_enable |
| Meaning | true or false |
| By default | true |
| Description | Enables tracking of local authorizations (TTYphysical access). true - includes false - turns it off |
| Examples |
|
| Parameter | local_notify |
| Meaning | true or false |
| By default | true |
| Description | Enables notifications about local authorizations. true - includes false - turns it off |
| Examples |
|
| Parameter | su_enable |
| Meaning | true or false |
| By default | true |
| Description | Enables tracking if someone uses the command `su` to access another account. true - includes false - turns it off |
| Examples |
|
| Parameter | su_notify |
| Meaning | true or false |
| By default | true |
| Description | Enables notifications if someone uses the command `su` to access another account. true - includes false - turns it off |
| Examples |
|
| Parameter | sudo_enable |
| Meaning | true or false |
| By default | false |
| Description | Enables tracking if someone uses the command `sudo` to access another account. note: This option can become burdensome if the command sudo is widely used. true - includes false - turns it off |
| Examples |
|
| Parameter | sudo_notify |
| Meaning | true or false |
| By default | true |
| Description | Enables notifications if someone uses the command `sudo` to access another account. true - includes false - turns it off |
| Examples |
|
Log analysis settings for notifications
Specify the parameters for this section first [logAlert], and then specify the other parameters of this section. Example:
[logAlert]
enabled = true
notify = true
| Parameter | enabled |
| Meaning | true or false |
| By default | true |
| Description | Enables the notification log tracking group. If disabled, tracking logs for notifications will not work. true - includes false - turns it off |
| Examples |
|
| *** | |
|---|---|
| Parameter | notify |
| Meaning | true or false |
| By default | true |
| Description | Enables notifications. If disabled, they will be displayed in the logs only at the level = "info". true - includes false - turns it off |
| Examples |
|
Analyzing logs for notifications (setting up groups)
If you want to add your own groups. Specify the parameters for this section first [[logAlert.groups]], and then specify the other parameters of this section.
| Parameter | [[logAlert.groups]] |
| Meaning | We specify the group settings. |
| By default | |
| Description |
This is a group of settings for analyzing logs for notifications. [[logAlert.groups]] You can specify an unlimited number of groups. |
| Examples |
Here we have indicated a few [[logAlert.groups.rate_limits]]. This means that after a few events in this group, it will move to the next level [[logAlert.groups.rate_limits]]. Level 1 will work according to the rules that if 5 events occurred, where there was less than an hour between events, notifications will be sent. And moved to the next level. Level 2 will work according to the rules that if 10 events occurred, where there was less than an hour between events, notifications will be sent. And moved to the next level. Level 3 will work according to the rules that if 50 events occurred, where there was less than an hour between attempts, notifications will be sent. And moved to the next level. Since there are no 4 levels, only the 3rd level will continue to be accepted for this event. But if rate_limit_reset_period = 86400there was no such event during the day (), then it will be transferred to level 1 again. Another example:
|
Log analysis for notification (setting up log analysis rules)
If you want to add your own settings for notifications. Specify the parameters for this section first [[logAlert.rules]], and then specify the other parameters of this section.
| Parameter | [[logAlert.rules]] |
| Meaning | We specify the settings of the rules for log analysis. |
| By default | |
| Description |
[[logAlert.rules]] You can specify an unlimited number of rules. |
| Examples |
|