logdata-anomaly-miner 0.0.7-1 / etc / aminer / config.py.template

This file is indexed.

/etc/aminer/config.py.template is in logdata-anomaly-miner 0.0.7-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# This is a template for the "aminer" logfile miner tool. Copy
# it to "config.py" and define your ruleset.

configProperties = {}

# Define the list of log resources to read from: the resources
# named here do not need to exist when aminer is started. This
# will just result in a warning. However if they exist, they have
# to be readable by the aminer process! Supported types are:
# * file://[path]: Read data from file, reopen it after rollover
# * unix://[path]: Open the path as UNIX local socket for reading
configProperties['LogResourceList'] = ['file:///var/log/auth.log', 'file:///var/log/syslog']

# Define the uid/gid of the process that runs the calculation
# after opening the log files:
configProperties['AMinerUser'] = 'aminer'
configProperties['AMinerGroup'] = 'aminer'

# Define the path, where aminer will listen for incoming remote
# control connections. When missing, no remote control socket
# will be created.
# configProperties['RemoteControlSocket'] = '/var/run/aminer-remote.socket'

# Read the analyis from this file. That part of configuration
# is separated from the main configuration so that it can be loaded
# only within the analysis child. Non-absolute path names are
# interpreted relatively to the main configuration file (this
# file). When empty, this configuration has to contain the configuration
# for the child also.
# configProperties['AnalysisConfigFile'] = 'analysis.py'


# Read and store information to be used between multiple invocations
# of AMiner in this directory. The directory must only be accessible
# to the 'AMinerUser' but not group/world readable. On violation,
# AMiner will refuse to start. When undefined, '/var/lib/aminer'
# is used.
# configProperties['Core.PersistenceDir'] = '/var/lib/aminer'

# Define a target e-mail address to send alerts to. When undefined,
# no e-mail notification hooks are added.
configProperties['MailAlerting.TargetAddress'] = 'root@localhost'
# Sender address of e-mail alerts. When undefined, "sendmail"
# implementation on host will decide, which sender address should
# be used.
# configProperties['MailAlerting.FromAddress'] = 'root@localhost'
# Define, which text should be prepended to the standard aminer
# subject. Defaults to "AMiner Alerts:"
# configProperties['MailAlerting.SubjectPrefix'] = 'AMiner Alerts:'
# Define a grace time after startup before aminer will react to
# an event and send the first alert e-mail. Defaults to 0 (any
# event can immediately trigger alerting).
# configProperties['MailAlerting.AlertGraceTime'] = 0
# Define how many seconds to wait after a first event triggered
# the alerting procedure before really sending out the e-mail.
# In that timespan, events are collected and will be sent all
# using a single e-mail. Defaults to 10 seconds.
# configProperties['MailAlerting.EventCollectTime'] = 10
# Define the minimum time between two alert e-mails in seconds
# to avoid spamming. All events during this timespan are collected
# and sent out with the next report. Defaults to 600 seconds.
# configProperties['MailAlerting.MinAlertGap'] = 600
# Define the maximum time between two alert e-mails in seconds.
# When undefined this defaults to "MailAlerting.MinAlertGap".
# Otherwise this will activate an exponential backoff to reduce
# messages during permanent error states by increasing the alert
# gap by 50% when more alert-worthy events were recorded while
# the previous gap time was not yet elapsed.
# configProperties['MailAlerting.MaxAlertGap'] = 600
# Define how many events should be included in one alert mail
# at most. This defaults to 1000
# configProperties['MailAlerting.MaxEventsPerMessage'] = 1000


# Add your ruleset here:

def buildAnalysisPipeline(analysisContext):
  """Define the function to create pipeline for parsing the log 
  data. It has also to define an AtomizerFactory to instruct AMiner
  how to process incoming data streams to create log atoms from
  them."""

# Build the parsing model:
  from aminer.parsing import FirstMatchModelElement
  from aminer.parsing import SequenceModelElement

  serviceChildren = []

# import AudispdParsingModel
# serviceChildren.append(AudispdParsingModel.getModel())

# import CronParsingModel
# serviceChildren.append(CronParsingModel.getModel())

# import EximParsingModel
# serviceChildren.append(EximParsingModel.getModel())

# import RsyslogParsingModel
# serviceChildren.append(RsyslogParsingModel.getModel())

# import SshdParsingModel
# serviceChildren.append(SshdParsingModel.getModel())

# import SuSessionParsingModel
# serviceChildren.append(SuSessionParsingModel.getModel())

# import UlogdParsingModel
# serviceChildren.append(UlogdParsingModel.getModel())

  import SyslogPreambleModel
  syslogPreambleModel = SyslogPreambleModel.getModel()

  parsingModel = SequenceModelElement('model', [
      syslogPreambleModel,
      FirstMatchModelElement('services', serviceChildren)])

# Some generic imports.
  from aminer.analysis import AtomFilters

# Create all global handler lists here and append the real handlers
# later on.
# Use this filter to distribute all atoms to the analysis handlers.
  atomFilter = AtomFilters.SubhandlerFilter(None)
  anomalyEventHandlers = []

# Now define the AtomizerFactory using the model. A simple line
# based one is usually sufficient.
  from aminer.input import SimpleByteStreamLineAtomizerFactory
  analysisContext.atomizerFactory = SimpleByteStreamLineAtomizerFactory(
      parsingModel, [atomFilter], anomalyEventHandlers,
      defaultTimestampPath='/model/syslog/time')

# Just report all unparsed atoms to the event handlers.
  from aminer.input import SimpleUnparsedAtomHandler
  atomFilter.addHandler(
      SimpleUnparsedAtomHandler(anomalyEventHandlers),
      stopWhenHandledFlag=True)

  from aminer.analysis import NewMatchPathDetector
  newMatchPathDetector = NewMatchPathDetector(
      analysisContext.aminerConfig, anomalyEventHandlers, autoIncludeFlag=True)
  analysisContext.registerComponent(newMatchPathDetector, componentName=None)
  atomFilter.addHandler(newMatchPathDetector)

# Include the e-mail notification handler only if the configuration
# parameter was set.
  from aminer.events import DefaultMailNotificationEventHandler
  if analysisContext.aminerConfig.configProperties.has_key(
      DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS):
    mailNotificationHandler = DefaultMailNotificationEventHandler(
        analysisContext.aminerConfig)
    analysisContext.registerComponent(
        mailNotificationHandler, componentName=None)
    anomalyEventHandlers.append(mailNotificationHandler)

# Add stdout stream printing for debugging, tuning.
# from aminer.events import StreamPrinterEventHandler
# anomalyEventHandlers.append(StreamPrinterEventHandler(analysisContext.aminerConfig))

APT Browse - Built by Thomas Orozco.