1## 2## tenshi 0.17 sample conf 3## 4 5# general settings 6 7set uid tenshi 8set gid tenshi 9 10set pidfile /var/run/tenshi.pid 11set logfile /var/log/messages 12set logfile /var/log/mail.log 13# set fifo /var/log/tenshi.fifo 14# set listen 127.0.0.1:514 15 16## GNU coreutils 17# set tail /usr/bin/tail -q --follow=name --retry -n 0 18 19## FreeBSD / NetBSD 20# set tail /usr/bin/tail -F -n 0 21 22## OpenBSD / HP-UX 23# set tail /usr/bin/tail -f -n 0 24 25set tail_multiple off 26 27set sleep 5 28set limit 800 29set pager_limit 2 30set mask ___ 31set mailserver localhost 32set subject tenshi report 33set hidepid on 34 35## queues 36# syntax: set queue <queue_name> <mail_from> [pager:]<mail_to> <cron_spec> [<subject>] 37 38set queue mail tenshi@localhost sysadmin@localhost [30 18 * * *] 39set queue nf tenshi@localhost sysadmin@localhost [*/30 * * * *] 40set queue report tenshi@localhost sysadmin@localhost [0 9-17/2 * * *] 41set queue misc tenshi@localhost sysadmin@localhost [0 9-17/2 * * *] 42set queue critical tenshi@localhost sysadmin@localhost,noc@localhost [now] tenshi CRITICAL report 43set queue root tenshi@localhost sysadmin@localhost [now] 44 45set queue pager tenshi@localhost pager:pager@localhost [now] tenshi alert 46set queue mobile tenshi@localhost pager:93384@localhost,pager:235953@localhost [now] tenshi alert 47 48set queue noprefix tenshi@localhost sysadmin@localhost [now] tenshi unprefixed alert 49 50## sample filter 51# set filter report /usr/bin/gpg --clearsign --batch -a -r sysadmin@localhost 52 53## sample csv pipe 54# set csv [0 * * * *] /usr/local/bin/afterglow.pl -c /etc/afterglow.conf -t > /var/lib/tenshi/tenshi.dot 55 56## regexp definitions 57# syntax: <queue_name>[,<queue_name>..] <regexp> 58 59## note: If you are not using the hidepid option for some reason, the regexps 60## below will need to be slightly different, for example: 61# 62# mail ^sendmail: (.+): to=(.+),(.+)relay=(.+),(.+)stat=Sent(.+) 63# would need to be: 64# mail ^sendmail\[(.*)\]: to=(.+),(.+)relay=(.+),(.+)stat=Sent(.+) 65# in order to match the sendmail line and mask the PID. 66 67repeat ^(?:last message repeated|above message repeats) (\\d+) time 68 69trash ^hub.c 70trash ^usb.c 71trash ^uhci.c 72trash ^sda 73 74trash ^Initializing USB 75trash ^scsi0 : SCSI emulation 76trash ^Vendor: 77trash ^Type: 78trash ^Attached scsi removable 79trash ^SCSI device sda 80trash ^sda: Write 81trash ^/dev/scsi 82trash ^WARNING: USB 83trash ^USB Mass Storage 84trash ^/dev 85trash ^ISO 86trash ^floppy0 87trash ^end_request 88trash ^Directory 89trash ^I/O error: dev 08:(.+), sector 90 91nf ^netfilter 92 93group ^sendmail: 94mail ^sendmail: (.+): to=(.+),(.+)relay=(.+),(.+)stat=Sent(.+) 95mail ^sendmail: (.+): to=(.+),(.+)relay=(.+),(.+)stat=Sent 96mail ^sendmail: (.+): from=(.+),(.+)relay=(.+) 97mail ^sendmail: STARTTLS=client(.+) 98mail ^sendmail 99group_end 100 101group ^sm-mta: 102mail ^sm-mta: (.+): to=(.+),(.+)delay=(.+) 103mail ^sm-mta: (.+): to=(.+),(.+)relay=(.+),(.+)stat=Sent(.+) 104mail ^sm-mta: (.+): to=(.+),(.+)relay=(.+),(.+)stat=Sent 105mail ^sm-mta: (.+): to=(.+),(.+)relay=local(.+)stat=Sent(.+) 106mail ^sm-mta: (.+): to=(.+),(.+)relay=local(.+)stat=Sent 107mail ^sm-mta: (.+): to=(.+),(.+)stat=Sent(.+) 108mail ^sm-mta: (.+): to=(.+),(.+)stat=Sent 109mail ^sm-mta: (.+): from=(.+),(.+)relay=local(.+) 110mail ^sm-mta: (.+): from=(.+),(.+)relay=(.+) 111mail ^sm-mta: STARTTLS=server(.+) 112mail ^sm-mta: STARTTLS=client(.+) 113trash ^sm-mta:.+User unknown 114mail ^sm-mta: ETRN 115mail ^sm-mta 116group_end 117 118group ^ipop3d: 119mail ^ipop3d: Login user=(.+) 120mail ^ipop3d: Logout user=(.+) 121mail ^ipop3d: pop3s SSL service init from (.+) 122mail ^ipop3d: pop3 service init from (.+) 123mail ^ipop3d: Auth user=(.+) 124mail ^ipop3d: Command stream end of file, while reading 125mail ^ipop3d: Command stream end of file while reading 126mail ^ipop3d: AUTHENTICATE LOGIN failure host=(.+) 127mail ^ipop3d: AUTHENTICATE PLAIN failure host=(.+) 128mail ^ipop3d: Login failed 129mail,critical ^ipop3d: 130group_end 131 132group ^imapd: 133mail ^imapd: Login user=(.+) 134mail ^imapd: Logout user=(.+) 135mail ^imapd: port (.+) service init from (.+) 136mail ^imapd: imaps SSL service init from (.+) 137mail ^imapd: Command stream end of file, while reading 138mail ^imapd: Command stream end of file while reading 139mail ^imapd: Authenticated user=(.+) 140mail ^imapd: AUTHENTICATE LOGIN failure host=(.+) 141mail ^imapd: AUTHENTICATE PLAIN failure host=(.+) 142mail ^imapd: Autologout(.+) 143mail ^imapd: Login failed 144mail,critical ^imapd: 145group_end 146 147group ^sshd(?:\(pam_unix\))?: 148report ^sshd: fatal: Timeout before authentication for (.+) 149critical ^sshd: Illegal user 150report ^sshd: Connection from (.+) 151report ^sshd: Connection closed (.+) 152report ^sshd: Closing connection (.+) 153report ^sshd: Found matching (.+) key: (.+) 154report ^sshd: Accepted publickey (.+) 155report ^sshd: Accepted rsa for (.+) from (.+) port (.+) 156report ^sshd: Accepted keyboard-interactive/pam for (.+) from (.+) port (.+) 157root ^sshd\(pam_unix\): session opened for user root by root\(uid=0\) 158root ^sshd\(pam_unix\): session opened for user root by \(uid=0\) 159report ^sshd\(pam_unix\): session closed for user (.+) 160report ^sshd\(pam_unix\): session opened for user (.+) 161report ^sshd\(pam_unix\): authentication failure; logname= 162group_end 163 164group ^login\(pam_unix\): 165critical ^login\(pam_unix\): session opened for user root by root\(uid=0\) 166critical ^login\(pam_unix\): session opened for user root by \(uid=0\) 167report ^login\(pam_unix\): session closed for user (.+) 168report ^login\(pam_unix\): session opened for user (.+) 169group_end 170 171report ^passwd\(pam_unix\): 172 173group ^su\(pam_unix\): 174root,report ^su\(pam_unix\): session opened for user root 175root,report ^su\(pam_unix\): session closed for user root(.+) 176report ^su\(pam_unix\): session opened for user (.+) 177report ^su\(pam_unix\): session closed for user (.+) 178group_end 179 180critical ^(?:/usr/bin)?sudo: 181 182critical,pager ^Oops 183critical,pager ^Linux 184critical ^init 185 186misc .* 187