(view this code in a separate window)
# Some patterns to ignore ignore = /log: Server listening on port \d+$/ ignore = /log: Connection from .* port \d+$/ ignore = /log: Generating new \d+ bit RSA key.$/ ignore = /log: RSA key generation complete.$/ ignore = /log: .* authentication for .* accepted.$/ ignore = /log: Closing connection to/ ignore = /fatal: Read error from remote host/ ignore = /fatal: Connection closed by remote/ ignore = /log: Wrong response to RSA authentication challenge./ ignore = /fatal: Read from socket failed: Connection timed out./ # Highlight root logins we expect watchfor = /log: ROOT LOGIN as 'root' from trusted.example.com/ echo magenta # Warn big time for root logins we aren't expecting watchfor = /log: ROOT LOGIN/ echo magenta_h bell 2 mail root@localhost:reegen@localhost,subject=ROOT LOGIN ALERT write root:reegen exec /opt/bin/page_admins $0 # Forward/reverse mapping errors watchfor = /POSSIBLE BREAKIN ATTEMPT!/ echo red watchfor = /fatal:/ echo blue # Make sure anything we don't explicitly ignore is logged in # unobtrusive green. As we find new things that are important # we'll make more rules for them. watchfor = /.*/ echo green