Skip to content

Logagent

Installation

Debian

sudo apt install ./intrudect-logagent-x.y.z.arch.deb

Red Hat

sudo dnf install ./intrudect-logagent-x.y.z-0.arch.rpm

Configuration

The initial example (not default) configuration for Logagent can be created in the web application under Agents > Add new syslog agent. After saving and downloading it, store the configuration on the machine running the agent at /opt/intrudect-logagent/etc/config.json. Once in place, Logagent will request an updated configuration from the web application every minute.

Hostname

If the hostname is not specified, the machine's own hostname will be used by default. If needed, this value can be overridden. For example, if the machine's name is www, it can be overwritten to www.example.com.

"Hostname": "www.example.com"

Logfiles

Multiple log file entries can be added to Logagent. For each log file, the Filename must be specified to define the monitored file. The Datetime field allows you to set which portion of the log text should be excluded from the message displayed in the web application—it is advisable to exclude the timestamp at the beginning of each line.

The Conditions value allows you to add multiple conditions. The Message and Level values allow you to set the general title of the alert and its severity level. Additionally, the RegexMatch must be specified, which defines the string to search for in regex format.

Logfiles don't have to be limited to syslog files, they can be application logfiles, debug files, webserver error files (don't try it on public server though), etc.

Example

Define alert for failed login. In Debian based systems authentication info is logged into /var/log/auth.log

Line containing pam authentication failure info:

2025-02-01T23:06:35.106807+02:00 docker sshd[359956]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1  user=root

"Logfiles": [
  {
    "Filename": "/var/log/auth.log",
    "DateTime": [
      0,
      32
    ],
    "Conditions": [
      {
        "Message": "LOGIN FAILURE",
        "Level": 10,
        "RegexMatch": "(.*)pam_unix(.*)authentication failure(.*)"
      }
    ]
  }
]