github.com/crowdsecurity/crowdsec@v1.6.1/config/detect.yaml (about) 1 --- 2 version: 1.0 3 4 # TODO: This file must be reviewed before the `cscli setup` command becomes GA 5 6 detect: 7 8 # 9 # crowdsecurity/apache2 10 # 11 12 # XXX some distro is using this path? 13 # - /var/log/*http*/*.log 14 15 apache2-systemd-deb: 16 when: 17 - UnitFound("apache2.service") 18 - PathExists("/etc/debian_version") 19 install: 20 collections: 21 - crowdsecurity/apache2 22 datasource: 23 source: file 24 filenames: 25 - /var/log/apache2/*.log 26 labels: 27 type: apache2 28 29 apache2-systemd-rpm: 30 when: 31 - UnitFound("httpd.service") 32 - PathExists("/etc/redhat-release") 33 install: 34 collections: 35 - crowdsecurity/apache2 36 datasource: 37 source: file 38 filenames: 39 - /var/log/httpd/*.log 40 # XXX /var/log/*http*/*.log 41 labels: 42 type: apache2 43 44 # 45 # crowdsecurity/asterisk 46 # 47 48 asterisk-systemd: 49 when: 50 - UnitFound("asterisk.service") 51 install: 52 collections: 53 - crowdsecurity/asterisk 54 datasource: 55 source: file 56 labels: 57 type: asterisk 58 filenames: 59 - /var/log/asterisk/*.log 60 61 # 62 # crowdsecurity/caddy 63 # 64 65 caddy-systemd: 66 when: 67 - UnitFound("caddy.service") 68 install: 69 collections: 70 - crowdsecurity/caddy 71 datasource: 72 source: file 73 labels: 74 type: caddy 75 filenames: 76 - /var/log/caddy/*.log 77 78 # 79 # crowdsecurity/dovecot 80 # 81 82 dovecot-systemd: 83 when: 84 - UnitFound("dovecot.service") 85 install: 86 collections: 87 - crowdsecurity/dovecot 88 datasource: 89 source: file 90 labels: 91 type: syslog 92 filenames: 93 - /var/log/mail.log 94 95 # 96 # LePresidente/emby 97 # 98 99 emby-systemd: 100 when: 101 - UnitFound("emby-server.service") 102 install: 103 collections: 104 - LePresidente/emby 105 datasource: 106 source: file 107 labels: 108 type: emby 109 filenames: 110 - /var/log/embyserver.txt 111 112 # 113 # crowdsecurity/endlessh 114 # 115 116 endlessh-systemd: 117 when: 118 - UnitFound("endlessh.service") 119 install: 120 collections: 121 - crowdsecurity/endlessh 122 datasource: 123 source: journalctl 124 labels: 125 type: syslog 126 # XXX this? or /var/log/syslog? 127 journalctl_filter: 128 - "_SYSTEMD_UNIT=endlessh.service" 129 130 # 131 # crowdsecurity/gitea 132 # 133 134 # XXX untested 135 136 gitea-systemd: 137 when: 138 - UnitFound("gitea.service") 139 install: 140 collections: 141 - crowdsecurity/gitea 142 datasource: 143 source: file 144 labels: 145 type: gitea 146 filenames: 147 - /var/log/gitea.log 148 149 # 150 # crowdsecurity/haproxy 151 # 152 153 haproxy-systemd: 154 when: 155 - UnitFound("haproxy.service") 156 install: 157 collections: 158 - crowdsecurity/haproxy 159 datasource: 160 source: file 161 labels: 162 type: haproxy 163 filenames: 164 - /var/log/haproxy/*.log 165 166 # 167 # firewallservices/lemonldap-ng 168 # 169 170 lemonldap-ng-systemd: 171 when: 172 - UnitFound("lemonldap-ng-fastcgi-server.service") 173 install: 174 collections: 175 - firewallservices/lemonldap-ng 176 #datasource: 177 # # XXX todo where are the logs? 178 # labels: 179 # type: syslog 180 181 # 182 # crowdsecurity/mariadb 183 # 184 185 mariadb-systemd: 186 when: 187 - UnitFound("mariadb.service") 188 install: 189 collections: 190 - crowdsecurity/mariadb 191 datasource: 192 source: file 193 labels: 194 type: mysql 195 filenames: 196 - /var/log/mysql/error.log 197 198 # 199 # crowdsecurity/mysql 200 # 201 202 mysql-systemd: 203 when: 204 - UnitFound("mysql.service") 205 install: 206 collections: 207 - crowdsecurity/mysql 208 datasource: 209 source: file 210 labels: 211 type: mysql 212 filenames: 213 - /var/log/mysql/error.log 214 215 # 216 # crowdsecurity/nginx 217 # 218 219 nginx-systemd: 220 when: 221 - UnitFound("nginx.service") 222 install: 223 collections: 224 - crowdsecurity/nginx 225 datasource: 226 source: file 227 labels: 228 type: nginx 229 filenames: 230 - /var/log/nginx/*.log 231 232 openresty-systemd: 233 when: 234 - UnitFound("openresty.service") 235 install: 236 collections: 237 - crowdsecurity/nginx 238 datasource: 239 source: file 240 labels: 241 type: nginx 242 filenames: 243 - /usr/local/openresty/nginx/logs/*.log 244 245 # 246 # crowdsecurity/odoo 247 # 248 249 odoo-systemd: 250 when: 251 - UnitFound("odoo.service") 252 install: 253 collections: 254 - crowdsecurity/odoo 255 datasource: 256 source: file 257 labels: 258 type: odoo 259 filenames: 260 - /var/log/odoo/*.log 261 262 # 263 # LePresidente/ombi 264 # 265 266 # This only works on deb-based systems. On other distributions, the 267 # application is run from the release tarball and the log location depends on 268 # the location it's run from. 269 270 ombi-systemd: 271 when: 272 - UnitFound("ombi.service") 273 - PathExists("/etc/debian_version") 274 install: 275 collections: 276 - LePresidente/ombi 277 datasource: 278 source: file 279 labels: 280 type: ombi 281 filenames: 282 - /var/log/ombi/log-*.txt 283 284 # 285 # crowdsecurity/pgsql 286 # 287 288 pgsql-systemd-deb: 289 when: 290 - UnitFound("postgresql.service") 291 - PathExists("/etc/debian_version") 292 install: 293 collections: 294 - crowdsecurity/pgsql 295 datasource: 296 source: file 297 labels: 298 type: postgres 299 filenames: 300 - /var/log/postgresql/*.log 301 302 pgsql-systemd-rpm: 303 when: 304 - UnitFound("postgresql.service") 305 - PathExists("/etc/redhat-release") 306 install: 307 collections: 308 - crowdsecurity/pgsql 309 datasource: 310 source: file 311 labels: 312 type: postgres 313 filenames: 314 - /var/lib/pgsql/data/log/*.log 315 316 # 317 # crowdsecurity/postfix 318 # 319 320 postfix-systemd: 321 when: 322 - UnitFound("postfix.service") 323 install: 324 collections: 325 - crowdsecurity/postfix 326 datasource: 327 source: file 328 labels: 329 type: syslog 330 filenames: 331 - /var/log/mail.log 332 333 # 334 # crowdsecurity/proftpd 335 # 336 337 proftpd-systemd: 338 when: 339 - UnitFound("proftpd.service") 340 install: 341 collections: 342 - crowdsecurity/proftpd 343 datasource: 344 source: file 345 labels: 346 type: proftpd 347 filenames: 348 - /var/log/proftpd/*.log 349 350 # 351 # fulljackz/pureftpd 352 # 353 354 pureftpd-systemd: 355 when: 356 - UnitFound("pure-ftpd.service") 357 install: 358 collections: 359 - fulljackz/pureftpd 360 # XXX ? 361 datasource: 362 source: file 363 labels: 364 type: syslog 365 filenames: 366 - /var/log/pure-ftpd/*.log 367 368 # 369 # crowdsecurity/smb 370 # 371 372 smb-systemd: 373 when: 374 # deb -> smbd.service 375 # rpm -> smb.service 376 - UnitFound("smbd.service") or UnitFound("smb.service") 377 install: 378 collections: 379 - crowdsecurity/smb 380 datasource: 381 source: file 382 labels: 383 type: smb 384 filenames: 385 - /var/log/samba*.log 386 387 # 388 # crowdsecurity/sshd 389 # 390 391 sshd-systemd: 392 when: 393 # deb -> ssh.service 394 # rpm -> sshd.service 395 - UnitFound("ssh.service") or UnitFound("sshd.service") or UnitFound("ssh.socket") or UnitFound("sshd.socket") 396 install: 397 collections: 398 - crowdsecurity/sshd 399 datasource: 400 source: file 401 labels: 402 type: syslog 403 filenames: 404 - /var/log/auth.log 405 - /var/log/sshd.log 406 - /var/log/secure 407 408 # 409 # crowdsecurity/suricata 410 # 411 412 suricata-systemd: 413 when: 414 - UnitFound("suricata.service") 415 install: 416 collections: 417 - crowdsecurity/suricata 418 datasource: 419 source: file 420 labels: 421 type: suricata-evelogs 422 filenames: 423 - /var/log/suricata/eve.json 424 425 # 426 # crowdsecurity/vsftpd 427 # 428 429 vsftpd-systemd: 430 when: 431 - UnitFound("vsftpd.service") 432 install: 433 collections: 434 - crowdsecurity/vsftpd 435 datasource: 436 source: file 437 labels: 438 type: vsftpd 439 filenames: 440 - /var/log/vsftpd/*.log 441 442 # 443 # Operating Systems 444 # 445 446 linux: 447 when: 448 - OS.Family == "linux" 449 install: 450 collections: 451 - crowdsecurity/linux 452 datasource: 453 source: file 454 labels: 455 type: syslog 456 filenames: 457 - /var/log/syslog 458 - /var/log/kern.log 459 - /var/log/messages 460 461 freebsd: 462 when: 463 - OS.Family == "freebsd" 464 install: 465 collections: 466 - crowdsecurity/freebsd 467 468 windows: 469 when: 470 - OS.Family == "windows" 471 install: 472 collections: 473 - crowdsecurity/windows 474 475 # 476 # anti-lockout 477 # 478 479 whitelists: 480 install: 481 parsers: 482 - crowdsecurity/whitelists