;; A main configuration file. ;; Copy the template removing '.template' extension at the end. ;; i.e logdaemon.shm.template -> logdaemon.shm ;; A copied file will NOT be overwritten after port update! ;; However, on major or minor version changes it is your responsibility to merge ;; changes in config. ;; If you lost templates or mess your configuration, check the project's repository ;; for tempate files. ;; Terminology: ;; "Optional" - means a section can be removed (not to present in file at all) ;; "Not Optional" - means a section must be defined, otherwise an error ;; happens. ;; ";" - a comment line ;; "u" - unsigned (means uint value) ;; "'()" - a list (separated by i.e '("abc" "cde") ;; "#" - boolean (#t #f) ;; Settings for the default values which will be used if monitor or filter ;; is to set to override data. ;; This section and internal items are Not Optional (global ;; A global value for time interval after which the counters are reset for entity (search/window 600) ;; A global value for the attempts counter when filter is setup to operate ;; in a [attempts] mode. (retry 5u) ;; A global value for the maximum score when filter is setup to operate in ;; [score] mode. (score 100u) ;; A default value for the block period in seconds (bantime 600) ;; A hosts in format IP/CIDR which should be ignored (ignore/hosts ["192.168.1.0/24" "10.8.0.0/24"]) ;; A users in format "username" without spaces or other contol characters (ignore/users []) ) ;; Settings for the security features for the processes. ;; This section is not optional. (jail ;; Uncomment this procedure for setuid. User should be in format of ;; "username". Optional. ;(pwuser "alex") ;; Set to #t to chroot to pwuser's home dir. If pwuser is not set then don't chroot ;; because only child process is chrooted. Not optional. (chroot #f) ;; Set to #t to use capsicum to apply additional constraints. ;; Capsicum will be used only ;; on forked processes. Optional. [Not Implemented Yet] ;(capsicum #f) ; not implemented yet ;; Set to value larger than "0u" to enable sigsegv, sigbus, sigfpe signals ;; counter which upon reaching limit will force to quit whole application to ;; prevent possible attack. Not Optional. (signalguard 3u) ) ;; Controls the process allocation for the Action Executor ;; which calls userland applications or uses drivers 'native action' ;; to perform actions i.e block, unblock, check, etc... ;; A process is in full async mode. ;; Not Optional. (action ;; Amount of threads allocated for tasks exec. ;; Can not be 0u ;;! NOT-OPTIONAL (threads/worker 2u) ;; Amount of threads allocated for 'blocking' operations. ;; It is required for native actions which does not support ASYNC IO. ;; If there aren't defined actions with "native actions" then comment this value ;; or set to 1u. ;;! Can not be 0u. ;;! OPTIONAL ;(threads/blocking 1u) ;; If procedure is defined, the actions will be executed in parallel. ;; So, for example, if for the filter there are defined 5 actions, ;; and (parallel-actions) is set to 2u then two tasks will be lauched ;; simultaniously. ;; If you have only one action defined for filters then leave it undefined. ;;! OPTIONAL ;(parallel-actions 1u) ) ;; Settings for control socket. ;; If it is required to control log monitoring server remotly or load ;; configuration remotly the section should be enabled and configured. ;; If control socket is not required set control to #f and leave default values. ;; This section is not optional. (control #f ;; - Socket type - ;; Incoming connection source. Only one from two types can be picked. ;; Not optional. ;; - ;; for unix socket use: unix ;(unix "/tmp/test.sock" 644u) ;; for TCP socket use socket: "bind ip" "bind port" (tcp) (tcp "127.0.0.1" 44444u) ;; - Other - ;; Sets the limit on concurrent connections. Set to 0u for unlimited ;;! not optional (limit-requests 2u) ;; Sets connection timeout in seconds ;;! not optional (timeout-read 30u) ;; Server name (will be visible on greetings) ;;! not optional (name "server18") ;; Salted and hashed password which is used for authentification. ;; (if no password is required, then comment out line below) ;; (password ;; ) ;; Use ;; `logdaemonctl -S -p -s -i -t ` ;; to generate this line of config. ;; Use ;; `logdaemonctl -G -h` for help. ;; - SHA used. Options: ;; sha1, sha256, sha512 ;; - salted password string base64 ;; - salt plaintext string base64 ;; - iterations (uint) ;; Optional ;(password sha256 "xeR41ZKIyEGqUw22hFxMjZYok6ABzk4RpJY4c6qYE0o=" "c2FsdA==" 4096u) ;; Sets to log all received commands to syslog ;; This procedure is not optional (log #t) ;; Forces ACL for unix sockets ONLY! If the endpoint was not identified ;; (usually this happens with unix sockets on Linux) the ACL check ;; is skipped. ;; If force ACL is set to true, then this will force the ACL if any defined ;;! not optional (force-acl #f) ;; --ACLs-- ;; If no ACL set then there are no constraints. ;; Otherwise the for each user the ACL should be set separatly. ;; ACL - for unix literal , for socket literal ;; - ;; Acl Caps: (ban, unban, reload, load, lookup, status) ;; Acl source: If control socket is [unix] then (path) should be used as ACL entity source ;; If control socket is [socket] then (cidr) should be used as ACL entity source (acl "title" [ban unban reload load lookup status] ;; - Entity - ;(path "/media/alex/projects/projects/rust/logdaemon_cli/target/debug/") (cidr "127.0.0.1/32") ;; - Limits - ;; (limit) a requests per minute. If == 0 then unlimited (limit-requests 5u) ; 5 requests per minute ) (acl "title2" [ban unban lookup] ;; - Entity - ;(path "/media/alex/projects/projects/rust/logdaemon_cli/target/debug/") (cidr "127.0.0.2/32") ;; - Limits - ;; (limit) a requests per minute. If == 0 then unlimited (limit-requests 1u) ; 5 requests per minute ) ;; next ACL ) ;; Settings for the Access Manager which manages ban/unban operations ;; Not optional (entity-worker ;; Invoke GC after AccessManager inmem vnode DB reaches threthhold (in kB) ;; can't be null, default: 100MB !Not implemented yet. (limit/treesize 81920u) ; ~80MB ;; log ban/unban entity to syslog, mail (not implemented yet) ; todo (logging '("email")) ;; - Storage-Engine - ;; Persistant storage for banned entities ;; Available storage drivers: sqlite, none, mysql, file ;; but if logdaemon was compiled without support of picked driver ;; then it will trigger an error during loading. ;; - ;; (none) - means don't use storage ;; ! If driver is not set, in case of crash or restart, all banned entities ;; will not be restored. ;; (sqlite) - sqlite driver ;; (path) is a path where the file is located i.e /var/db/logdaemon ;; (file) - a basic file storage (binary log and text files) ;; (path) is a path where the file is located i.e /var/db/ ;; (mysql) - a mysql/mariabd driver. (database ;(none) ;; -- ;(file ; (path "/tmp") ; (rotate 100u) ; optional, and never 0u ; (compress #f) ;) ;; -- (sqlite (path "/tmp") ) ;; -- ;(mysql ;(network "192.168.2.111" 3306u) ; -or - ;(local "/car/run/mysql.sock") ;(db/name "logdaemon") ;(db/username "logdaemon") ;(db/password "password") ; optional, skip when DB has no password ;(compress/rate fast) ;optional ;(usessl ;(pkcs12 "/foo/cert.p12" "") ; ;(rootca "/foo/root_ca/der"); ;(accept_inv_certs #f) ; accept invalid certs ;(skip_dom_validation #f) ; skip domanin validation ;) ;) ) ) ;; Settings for log receiving threads (sockthread ;logfetch ;; Max threads which parses events from FS and network sockets ;; ;; If it is planned to receive data only from sockets, it is not quite complex ;; task and one thread will be enough. But if the data flow is large, then it ;; is reuired to adjust this value. ;; If there are both external logs and logs from files then at least two threads ;; are required in order to process data in parralel. ;; ;; The data is processed in parralel. But only for data received on sockets. The ;; events from File System are always processed in a signle thread which is available ;; at the moment or available in nearest future. So one of threads will be busy processing ;; events from FS. ;; ;; can not be 0 or negative, default: 1u (unsigned) (threads 2u) ) ;; Parser settings (parser ;; Send message about detection to log facilities ;; Not implemented yet ; todo (logging '("email")) ;; - Storage-Engine - ;; Persistant storage for banned entities ;; Available storage drivers: sqlite, none, mysql, file ;; but if logdaemon was compiled without support of picked driver ;; then it will trigger an error during loading. ;; - ;; (none) - means don't use storage ;; ! If driver is not set, in case of crash or restart, all banned entities ;; will not be restored. ;; (sqlite) - sqlite driver ;; (path) is a path where the file is located i.e /var/db/logdaemon ;; (file) - a basic file storage (binary log and text files) ;; (path) is a path where the file is located i.e /var/db/ ;; (mysql) - a mysql/mariabd driver. (database ;(none) ;; -- ;(file ; (path "/tmp") ; (rotate 100u) ; optional, and never 0u ; (compress #f) ;) ;; -- (sqlite (path "/tmp") ) ;; -- ;(mysql ;(network "192.168.2.111" 3306u) ; -or - ;(local "/car/run/mysql.sock") ;(db/name "logdaemon") ;(db/username "logdaemon") ;(db/password "password") ; optional, skip when DB has no password ;(compress/rate fast) ;optional ;(usessl ;(pkcs12 "/foo/cert.p12" "") ; ;(rootca "/foo/root_ca/der"); ;(accept_inv_certs #f) ; accept invalid certs ;(skip_dom_validation #f) ; skip domanin validation ;) ;) ) )