summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorkuri igen <kuri@e4.enlightenment.org>2011-02-08 19:54:44 +0100
committerkuri igen <kuri@e4.enlightenment.org>2011-02-08 19:54:44 +0100
commite34cc1ec57c972bfc5040a7474fb9d43a5b6fd53 (patch)
treeeac71e1d8b473175bb865f2216fe8ea3335ce5da
parente1c5cab153d40f42f7f971b52db56b4b1ad17737 (diff)
Add exemple rule that used message_unmatch and multiple regexp
-rw-r--r--rules/ssh_publickey_accept13
1 files changed, 13 insertions, 0 deletions
diff --git a/rules/ssh_publickey_accept b/rules/ssh_publickey_accept
new file mode 100644
index 0000000..6a12314
--- /dev/null
+++ b/rules/ssh_publickey_accept
@@ -0,0 +1,13 @@
1# This rule will match any log message from /var/log/auth.log that
2# is about a connection using a valid public key for user root, and that
3# is not from normally authorized IPs.
4# These logs will be tagged with 'alert' word
5filename = /var/log/auth.log
6message = .*Accepted publickey for root.*
7message_unmatch = .*192\.168\.2\.84.*
8message_unmatch = .*192\.168\.2\.82.*
9message_unmatch = .*192\.168\.2\.94.*
10
11
12tags = alert
13