# grok.conf

### Some useful patterns 
#patterns {
#  PROG = "\w+(?:\[\d+\])?";
#  BASE = "%SYSLOGDATE% %HOSTNAME% %PROG%:";
#  HTTPDATE = "%MONTHDAY%/%MONTH%/\d+:%TIME% -\d+";
#};

### Example filter sets
#filters {
#  # Define a filter called 'httpfilter'
#  # It replaces "GET /foo/bar HTTP/1.0" with "/foo/bar"
#  /httpfilter/ = { s/^\S+ (\S+) \S+$/$1/; };
#};

### Apache log matching (requires httpfilter filter and HTTPDATE pattern as above)
#file "logs/access" {
#  type "http request" {
#    match = "%IP% - - \[%HTTPDATE%\] %QUOTEDSTRING:URL% .*? %QUOTEDSTRING:REFERRER% %QUOTEDSTRING:AGENT%";
#    reaction = "echo '%IP%: %QUOTEDSTRING:URL|e[']|stripquotes|httpfilter%'";
#  };
#};

### Apache log matching, but use a perl reaction instead
#file "logs/access" {
#  # Similar thing, slightly more complicated, but in perl.
#  # Only print if the referrer is not "-"
#  reaction = {
#    my $ref = meta2string("%QUOTEDSTRING:REFERRER|e[']|stripquotes%", $v);
#    if ($ref ne '-') {
#      my $ip = meta2string("%IP%", $v);
#      my $agent = meta2string("%QUOTEDSTRING:AGENT|e[']|stripquotes%", $v);
#      my $url = meta2string("%QUOTEDSTRING:URL|e[']|stripquotes|httpfilter%", $v);
#      print "$ip: $url\n";
#      print "\tReferrer: $ref\n";
#      print "\tAgent: $agent\n";
#    }
#  };
#};

### Example using 'exec' - let's grok tcpdump for fun and profit.
#exec "tcpdump -li em0 -n 2> /dev/null" {
#  type "ssh-connect" {
#    match = "%IP:SRC%.\d+ > %IP:DST%.22: S";
#    reaction = "echo 'ssh-connect: %IP:SRC% -> %IP:DST%' >> /var/log/sshconnect";
#  };
#};

### Audit failed su(1) attempts
#patterns {
#  TTY = "/dev/tty[qp][a-z0-9]";
#};
#
#file "/var/log/messages" {
#  type "failed su(1) attempt" {
#    match = "BAD SU %USER:FROM% to %USER:TO% on %TTY%";
#    reaction = "echo 'Failed su(1): %USER:FROM% -> %USER:TO% (%TTY%)'";
#  };
#};

### Track and block brute force (or other) ssh attacks
#exec "cat /var/log/auth.log" {
#  type "ssh-illegal-user" {
#    match = "Invalid user %USERNAME% from %IP%";
#    threshold = 3;   # 10 hits ...
#    key = "%IP%";     # from a single ip ...
#    interval = 600;   # in 10 minutes
#    reaction = "echo pfctl -t naughty -T add %IP%";
#  };
#
#  type "ssh-scan-possible" {
#     match = "Did not receive identification string from %IP%";
#     threshold = 3;
#     interval = 60;
#     reaction = "pfctl -t naughty -T add %IP%";
#  };
#};

### Track sudo access, report on unmatched lines.
#patterns {
#  COMMAND = ".*";
#  DATA = ".*";
#  UID = "\d+";
#  MOUNT = "[/a-zA-Z0-9_-]+";
#};

### FreeBSD messages
#file "/var/log/messages" {
#  type "all syslog" {
#    match_syslog = 1;
#    reaction = { print meta2string("http://localhost:8080/?when=%SYSLOGDATE|parsedate%&where=%HOST%/%PROG%&what=%DATA:GLOB|urlescape%\n", $v); };
#  };
#};
#
#filecmd "find /var/log -iname "*log" -or -name 'messages'" {

#Sample catlist usage
#catlist "/var/log/*.log,/var/log/messages" {
#  type "everything" {
#    match_syslog = 1;
#    reaction = { print meta2string("%=FILE%: (%PROG%) %DATA:GLOB%\n", $v) } ;
#  };
#};