Logagent
Installation
Debian
Red Hat
Configuration
The initial example (not default) configuration for Logagent can be created in the web application under Agents > Add new syslog agent. After saving and downloading it, store the configuration on the machine running the agent at /opt/intrudect-logagent/etc/config.json. Once in place, Logagent will request an updated configuration from the web application every minute.
Hostname
If the hostname is not specified, the machine's own hostname will be used by default. If needed, this value can be overridden. For example, if the machine's name is www, it can be overwritten to www.example.com.
Logfiles
Multiple log file entries can be added to Logagent. For each log file, the Filename must be specified to define the monitored file. The Datetime field allows you to set which portion of the log text should be excluded from the message displayed in the web application—it is advisable to exclude the timestamp at the beginning of each line.
The Conditions value allows you to add multiple conditions. The Message and Level values allow you to set the general title of the alert and its severity level. Additionally, the RegexMatch must be specified, which defines the string to search for in regex format.
Logfiles don't have to be limited to syslog files, they can be application logfiles, debug files, webserver error files (don't try it on public server though), etc.
Example
Define alert for failed login. In Debian based systems authentication info is logged into /var/log/auth.log
Line containing pam authentication failure info: