Log Analyzer Settings (analyzer.toml)

By default, the settings from the log analyzer are located here:

/etc/kor-elf-shield/analyzer.toml

The path to these settings can be changed in the main settings and can be found here (parameter analyzer).

A copy of the full settings file is here.

There are several sections in this file:


Password brute force protection

Specify the parameters for this section first [bruteForceProtection], and then specify the other parameters of this section. Example:

[bruteForceProtection]
enabled = true
notify = true
rate_limit_count = 5
blocking_time = 3600
blocking_time = 3600
rate_limit_reset_period = 86400
Parameter enabled
Meaning true or false
By default true
Description Enables the password brute force tracking group. If disabled, password brute force tracking will not work.
true  - includes
false - turns it off
Examples
enabled = true
enabled = false
Parameter notify
Meaning true or false
By default true
Description Enables notifications about blockages. If disabled, they will be displayed in the logs only at the level = "info".
true  - includes
false - turns it off
Examples
notify = true
notify = false
Parameter rate_limit_count
Meaning from 1
By default 5
Description The maximum number of errors after which the lock will occur.
Examples
rate_limit_count = 5
rate_limit_count = 3
Parameter blocking_time
Meaning from 0
By default 3600
Description The time in seconds during which the IP address will be blocked. Specifying 0 will permanently block it.
Examples
blocking_time = 3600
blocking_time = 600
blocking_time = 0
Parameter rate_limit_period
Meaning from 1
By default 3600
Description Set a time interval to track login failures for seconds.
Examples
rate_limit_period = 3600
rate_limit_period = 600
Parameter rate_limit_reset_period
Meaning from 0
By default 86400
Description We specify in seconds after which time to reset the IP data in the _default group if there were no events. If you specify 0, it will not reset.
Examples
rate_limit_reset_period = 3600
rate_limit_reset_period = 86400
rate_limit_reset_period = 0
Parameter ssh_enable
Meaning true or false
By default true
Description Enables password brute force protection from ssh.
true  - includes
false - turns it off
Examples
ssh_enable = true
ssh_enable = false
Parameter ssh_notify
Meaning true or false
By default true
Description Enables lock notifications when password brute force protection is activated. If disabled, they will be displayed in the logs only at the level = "info".
true  - includes
false - turns it off
Examples
ssh_notify = true
ssh_notify = false
Parameter ssh_notify_cooldown_seconds
Meaning From 0
By default 0
Description The minimum interval in seconds between notifications of successful SSH blocking. After sending the notification, no repeat notifications will be sent within the specified time. If you specify 0, the time limit for notifications will be disabled.
Examples
ssh_notify_cooldown_seconds = 0
ssh_notify_cooldown_seconds = 86400
Parameter ssh_notify_every
Meaning From 0
By default 0
Description The number of successful SSH locks to skip after sending the notification. The next notification will be sent after the specified number of new lock messages. This parameter takes precedence over ssh_notify_cooldown_seconds. If you specify 0, the limit on the number of messages will be disabled.
Examples
ssh_notify_every = 0
ssh_notify_every = 10
Parameter ssh_group
Meaning Specify name groups from [[bruteForceProtection.groups]]
By default  
Description You can specify your own group to link to other rules.
Examples
ssh_group = ""
ssh_group = "new_group"

Password brute force protection (group settings)

If you want to add your own groups. Specify the parameters for this section first [[bruteForceProtection.groups]], and then specify the other parameters of this section.

Parameter [[bruteForceProtection.groups]]
Meaning We specify the group settings.
By default  
Description

This is a group of settings to protect against password brute force. [[bruteForceProtection.groups]] You can specify an unlimited number of groups.

[[bruteForceProtection.groups]]
name -
The group name must be unique and the following characters are allowed: a-z, A-Z, -, _ (required field)
message - Notification text (required field)
rate_limit_reset_period
- Specify in seconds after which time to reset the data in the group if there were no events. If you specify 0, the time limit for notifications will be disabled.
block_type - Specify the type of lock: ip, ip_port. If you do not specify anything, the type will be specified ip. (optional field)
ports - If the type of lock is ip_portset, then you need to specify the ports that will be blocked after detecting an attempt to brute force the password.
[[bruteForceProtection.groups.rate_limits]] (you can specify several)
count - The maximum number of errors after which the lock will occur.
period - Set a time interval to track login failures for seconds. 
blocking_time - The time in seconds during which the IP address will be blocked. Specifying 0 will permanently block it.
Inside [[bruteForceProtection.groups.rate_limits]] , you can redefine the settings block_type and. ports
block_type - Specify the type of lock: ip, ip_port. If you do not specify anything, the type will be specified ip. (optional field)
ports - If the type of lock is ip_portset, then you need to specify the ports that will be blocked after detecting an attempt to brute force the password.

Examples
[[bruteForceProtection.groups]]
name = "my_name_group"
message = "Любой текст группы"
rate_limit_reset_period = 86400
block_type = "ip_port"
ports = ["21/tcp", "21/udp"]
[[bruteForceProtection.groups.rate_limits]]
count = 5
period = 3600
blocking_time = 600
[[bruteForceProtection.groups.rate_limits]]
count = 3
period = 3600
blocking_time = 3600
[[bruteForceProtection.groups.rate_limits]]
count = 2
period = 18000
blocking_time = 36000
block_type = "ip"

Here we have indicated a few [[bruteForceProtection.groups.rate_limits]]. This means that after the temporary blocking, the IP address in this group will move to the next level [[bruteForceProtection.groups.rate_limits]].

Level 1 will work according to the rules that if an IP address has made 5 unsuccessful login attempts, where there was less than an hour between attempts, it will be blocked for 10 minutes. Only port 21 and will be blocked for this IP address TCP . UDP And the IP address will be moved to the next level.

Level 2 will work according to the rules that if an IP address has made 3 unsuccessful login attempts, where there was less than an hour between attempts, it will be blocked for an hour. Only port 21 and will be blocked for this IP address TCP . UDP And the IP address will be moved to the next level.

Level 3 will work according to the rules that if an IP address has made 2 unsuccessful login attempts, where there were less than 5 hours between attempts, it will be blocked for 10 hours. This time, all ports for this IP address are blocked. And the IP address will be moved to the next level.

Since there is no 4th level, only the 3rd level will continue to be accepted for this IP address. But if there rate_limit_reset_period = 86400have been no unsuccessful authorizations from this IP address during the day (), then it will transfer to level 1 again.


Another example:

[[bruteForceProtection.groups]]
name = "my_name_group"
message = "Any message"
rate_limit_reset_period = 86400
[[bruteForceProtection.groups.rate_limits]]
count = 10
period = 3600
blocking_time = 600

[[bruteForceProtection.groups]]
name = "my_name_group 2"
message = "Any message 2"
rate_limit_reset_period = 3600
block_type = "ip"
[[bruteForceProtection.groups.rate_limits]]
count = 3
period = 60
blocking_time = 600
block_type = "ip_port"
ports = ["80/tcp", "443/tcp"]
[[bruteForceProtection.groups.rate_limits]]
count = 3
period = 60
blocking_time = 1800

[[bruteForceProtection.groups]]
name = "my_name_group 3"
message = "Any message 3"
rate_limit_reset_period = 604800
[[bruteForceProtection.groups.rate_limits]]
count = 10
period = 600
blocking_time = 600
[[bruteForceProtection.groups.rate_limits]]
count = 10
period = 3600
blocking_time = 600
[[bruteForceProtection.groups.rate_limits]]
count = 5
period = 3600
blocking_time = 3600
[[bruteForceProtection.groups.rate_limits]]
count = 3
period = 3600
blocking_time = 86400
[[bruteForceProtection.groups.rate_limits]]
count = 1
period = 3600
blocking_time = 86400

Password brute force protection (setting up log analysis rules)

If you want to add your own settings to track failed logins. Specify the parameters for this section first [[bruteForceProtection.rules]], and then specify the other parameters of this section.

Parameter [[bruteForceProtection.rules]]
Meaning We specify the settings of the rules for log analysis.
By default  
Description

[[bruteForceProtection.rules]] You can specify an unlimited number of rules.

[[bruteForceProtection.rules]]
enabled
- Enables or disables tracking (required field)
notify
- Enables or disables notifications (required field)
notify_cooldown_seconds - Minimum interval in seconds between notifications of successful blocking (optional field)
notify_every - The number of successful locks to skip after sending the notification (optional field)
name - Name of the notification. The following characters are allowed: a-z, A-Z, -, _.  The name must be unique. The first character must be a letter (required field)
message - Notification text (required field)
group - You can specify the name of the group (optional field)
[bruteForceProtection.rules.source] Configuring the log source
type - journalctl or file (required field)
path - The path to the file (required if field type = "file")
field - systemd_unit or syslog_identifier (required field if type = "journalctl")
match - Value (required field if type = "journalctl")
If field = "systemd_unit", then match it should end with:.service, .socket, .target, .mount, .timer, .path, .scope, .slice, .device
[[bruteForceProtection.rules.patterns]]
Adjusting the controls, there may be several
regexp - Specify your regular schedule (required field)
ip - Specify the number from the regular schedule (counting from 1) , which will indicate the IP (required field)
[[bruteForceProtection.rules.patterns.values]] If you want to specify several more fields in the notifications, which can be obtained from the regular schedule.
name - Field name
value - We specify the number from the regular schedule (it starts from 1)

Examples
[[bruteForceProtection.rules]]
enabled = true
notify = true
notify_cooldown_seconds = 0
notify_every = 0
name = "my_name_rule"
message = "Any message"
group = "my_name_group"
[bruteForceProtection.rules.source]
type = "journalctl"
field = "systemd_unit"
match = "ssh.service"
[[bruteForceProtection.rules.patterns]]
regexp = '^Failed password for (\S+) from (\S+) port \S+'
ip = 2
[[bruteForceProtection.rules.patterns.values]]
name = "User"
value = 1

Another example:

[[bruteForceProtection.rules]]
enabled = true
notify = true
notify_cooldown_seconds = 0
notify_every = 0
name = "Name 1"
message = "Message 1"
group = "group"
[bruteForceProtection.rules.source]
type = "journalctl"
field = "syslog_identifier"
match = "test"
[[bruteForceProtection.rules.patterns]]
regexp = '^Login attempt for: (\S+) from: (\S+)\/\S+\s+failed'
ip = 2
[[bruteForceProtection.rules.patterns.values]]
name = "Login"
value = 1


[[bruteForceProtection.rules]]
enabled = true
notify = true
notify_cooldown_seconds = 0
notify_every = 0
name = "Name 2"
message = "Message 2"
group = "group 2"
[bruteForceProtection.rules.source]
type = "file"
path = "/var/log/test.log"
[[bruteForceProtection.rules.patterns]]
regexp = '^Failed authentication attempt from (\d+.\d+.\d+.\d+)\S+\s+user does not exist (\S+)'
ip = 1
[[bruteForceProtection.rules.patterns.values]]
name = "Login"
value = 2
[[bruteForceProtection.rules.patterns]]
regexp = '^Failed authentication attempt from (\d+.\d+.\d+.\d+)\S+\s+\S+ password is invalid (\S+)'
ip = 1
[[bruteForceProtection.rules.patterns.values]]
name = "Login"
value = 2

Another example:

If you have a service that needs password protection, but the frequency of password selection attempts leads to numerous notifications, and you don't want to disable notifications completely, but still want to receive them from time to time, you can specify the notify_cooldown_seconds and/or notify_everyoptions.

[[bruteForceProtection.rules]]
enabled = true
notify = true
notify_cooldown_seconds = 86400
notify_every = 100
name = "Name 2"
message = "Message 2"
group = "group 2"
[bruteForceProtection.rules.source]
type = "file"
path = "/var/log/test.log"
[[bruteForceProtection.rules.patterns]]
regexp = '^Failed authentication attempt from (\d+.\d+.\d+.\d+)\S+\s+user does not exist (\S+)'
ip = 1
[[bruteForceProtection.rules.patterns.values]]
name = "Login"
value = 2

We have specified notify_cooldown_seconds = 86400what it means that after receiving the blocking notification, we will no longer receive notifications from this rule for 86400 seconds. We also specified notify_every = 100what it means that after receiving the block notification, we will receive notifications again after 100 blocks. This means that we will receive the next notification either in 24 hours or in 100 blocks.


Track authorizations

Specify the parameters for this section first [login], and then specify the other parameters of this section. Example:

[login]
enabled = true
notify = true
ssh_enable = true
ssh_notify = true
local_enable = true
local_notify = true
Parameter enabled
Meaning true or false
By default true
Description Enables the authorization tracking group. If disabled, authorization tracking will not work.
true  - includes
false - turns it off
Examples
enabled = true
enabled = false
Parameter notify
Meaning true or false
By default true
Description Enables authorization notifications. If disabled, they will be displayed in the logs only at the level = "info".
true  - includes
false - turns it off
Examples
notify = true
notify = false
Parameter ssh_enable
Meaning true or false
By default true
Description Enables ssh authorization tracking.
true  - includes
false - turns it off
Examples
ssh_enable = true
ssh_enable = false
Parameter ssh_notify
Meaning true or false
By default true
Description Enables ssh authorization notifications. If disabled, they will be displayed in the logs only at the level = "info".
true  - includes
false - turns it off
Examples
ssh_notify = true
ssh_notify = false
Parameter local_enable
Meaning true or false
By default true
Description Enables tracking of local authorizations (TTYphysical access).
true  - includes
false - turns it off
Examples
local_enable = true
local_enable = false
Parameter local_notify
Meaning true or false
By default true
Description Enables notifications about local authorizations.
true  - includes
false - turns it off
Examples
local_notify = true
local_notify = false
Parameter su_enable
Meaning true or false
By default true
Description Enables tracking if someone uses the command `su` to access another account.
true  - includes
false - turns it off
Examples
su_enable = true
su_enable = false
Parameter su_notify
Meaning true or false
By default true
Description Enables notifications if someone uses the command `su` to access another account.
true  - includes
false - turns it off
Examples
su_notify = true
su_notify = false
Parameter sudo_enable
Meaning true or false
By default false
Description Enables tracking if someone uses the command `sudo` to access another account.
note: This option can become burdensome if the command sudo is widely used.
true  - includes
false - turns it off
Examples
sudo_enable = true
sudo_enable = false
Parameter sudo_notify
Meaning true or false
By default true
Description Enables notifications if someone uses the command `sudo` to access another account.
true  - includes
false - turns it off
Examples
sudo_notify = true
sudo_notify = false

Log analysis settings for notifications

Specify the parameters for this section first [logAlert], and then specify the other parameters of this section. Example:

[logAlert]
enabled = true
notify = true
Parameter enabled
Meaning true or false
By default true
Description Enables the notification log tracking group. If disabled, tracking logs for notifications will not work.
true  - includes
false - turns it off
Examples
enabled = true
enabled = false
***
Parameter notify
Meaning true or false
By default true
Description Enables notifications. If disabled, they will be displayed in the logs only at the level = "info".
true  - includes
false - turns it off
Examples
notify = true
notify = false

Analyzing logs for notifications (setting up groups)

If you want to add your own groups. Specify the parameters for this section first [[logAlert.groups]], and then specify the other parameters of this section.

Parameter [[logAlert.groups]]
Meaning We specify the group settings.
By default  
Description

This is a group of settings for analyzing logs for notifications. [[logAlert.groups]] You can specify an unlimited number of groups.

[[logAlert.groups]]
name -
The group name must be unique and the following characters are allowed: a-z, A-Z, -, _   The name must be unique. The first character must be a letter (required field)
message - Notification text (required field)
rate_limit_reset_period
- Specify in seconds after which time to reset the data in the group if there were no events. If you specify 0, the time limit for notifications will be disabled.
[[logAlert.groups.rate_limits]] (you can specify several)
count - After how many events the alert will be triggered.
period - Set a time interval for tracking events.

Examples
[[logAlert.groups]]
name = "my_name_group"
message = "Любой текст группы"
rate_limit_reset_period = 86400
[[logAlert.groups.rate_limits]]
count = 5
period = 3600
[[logAlert.groups.rate_limits]]
count = 10
period = 3600
[[logAlert.groups.rate_limits]]
count = 50
period = 3600

Here we have indicated a few [[logAlert.groups.rate_limits]]. This means that after a few events in this group, it will move to the next level [[logAlert.groups.rate_limits]].

Level 1 will work according to the rules that if 5 events occurred, where there was less than an hour between events, notifications will be sent. And moved to the next level.

Level 2 will work according to the rules that if 10 events occurred, where there was less than an hour between events, notifications will be sent. And moved to the next level.

Level 3 will work according to the rules that if 50 events occurred, where there was less than an hour between attempts, notifications will be sent. And moved to the next level.

Since there are no 4 levels, only the 3rd level will continue to be accepted for this event. But if rate_limit_reset_period = 86400there was no such event during the day (), then it will be transferred to level 1 again.


Another example:

[[logAlert.groups]]
name = "my_name_group"
message = "any message"
rate_limit_reset_period = 86400
[[logAlert.groups.rate_limits]]
count = 10
period = 60

Log analysis for notification (setting up log analysis rules)

If you want to add your own settings for notifications. Specify the parameters for this section first [[logAlert.rules]], and then specify the other parameters of this section.

Parameter [[logAlert.rules]]
Meaning We specify the settings of the rules for log analysis.
By default  
Description

[[logAlert.rules]] You can specify an unlimited number of rules.

[[logAlert.rules]]
enabled 
- Enables or disables tracking (required field)
notify - Enables or disables notifications (required field)
name - Name of the notification. The following characters are allowed: a-z, A-Z, -, _.  The name must be unique. The first character must be a letter (required field)
message - Notification text (required field)
group - You can specify the name of the group (optional field)
[logAlert.rules.source] Configuring the log source
type - journalctl or file (required field)
path - The path to the file (required if field type = "file")
field - systemd_unit or syslog_identifier (required field if type = "journalctl")
match - Value (required field if type = "journalctl")
If field = "systemd_unit", then match it should end: .service, .socket, .target, .mount, .timer, .path, .scope, .slice, .device
[[logAlert.rules.patterns]] Adjusting the controls, there may be several
regexp - Specify your regular schedule (required field)
[[logAlert.rules.patterns.values]] If you want to specify a few more fields in the notifications that you can get from the regular schedule
name - Field name
value - We specify the number from the regular schedule (it starts from 1)
type - If this field is associated with an IP address, then specify type = "ip".

Examples
[[logAlert.rules]]
enabled = true
notify = true
name = "my_name_rule"
message = "Any message"
group = "my_name_group"
[logAlert.rules.source]
type = "journalctl"
field = "systemd_unit"
match = "ssh.service"
[[bruteForceProtection.rules.patterns]]
regexp = '^Accepted (\S+) for (\S+) from (\S+) port \S+'
[[logAlert.rules.patterns.values]]
name = "User"
value = 2
[[logAlert.rules.patterns.values]]
name = "IP"
value = 3
type = "ip"