- smbd - number of logins, list users & clients
- sshd (DEPRECATED) - logins by user/hostname, attempted root logins, invalid users
- sshd-journald - logins by user/hostname, attempted root logins, invalid users (requires libsystemd)
-- sudo - number of sessions, list users and commands
+- sudo (DEPRECATED)- number of sessions, list users and commands
+- sudo-journald - number of sessions, list users and commands (requires libsystemd)
- sysinfo - hostname, OS, OS version, platform, processors
+- systemctl - system status, running/failed units (requires libsystemd)
- temperature - instantaneous temperatures of motherboard, CPU, cores, disks
+- ufw - blocked packets, port and IP data (requires libsystemd)
- zfs - zpool scrub reports, disk usage
.. _configuration:
mailbin
Path to the MTA binary (usually Postfix). Default: /usr/bin/mail
+======================
+Default parser options
+======================
+
+Each parser has its own set of options in a section with the name of the parser. In the case of multiple versions of the same parser (e.g. sshd and sshd-journald), the configuration section goes by the base name (e.g. sshd). Options defined in individual parser sections override those defined in the global configuration.
+
+####
+cron
+####
+
+period
+ Maximum age of logs to analyse. Overrides global config. Only used in cron-journald at the moment. See :ref:`period` for more information. Default: empty
+
+.. _period:
+
+####
+sshd
+####
+
+period
+ Maximum age of logs to analyse. Overrides global config. Only used in sshd-journald at the moment. See :ref:`period` for more information. Default: empty
+sshd-resolve-domains
+ DNS lookup configuration for sshd parsers only (overrides global config). Accepted values are `ip`, `fqdn`, `fqdn-implicit`, and `host-only`. See the global setting `resolve-domains` for more information. Default: empty
+
+####
+smbd
+####
+
+shares
+ Regular expression string for which Samba shares to include when parsing logs. To consider all shares, set this to `.*`. To exclude a certain share, use negative lookaround. Default: `^((?!IPC\$).)*$`
+users
+ Regular expression string for which user@hostname values to include when parsing logs. This could be used to exclude logins from a trusted user or hostname. Default: `.*`
+smbd-resolve-domains
+ DNS lookup configuration for smbd parsers only (overrides global config). Accepted values are `ip`, `fqdn`, `fqdn-implicit`, and `host-only`. See the global setting `resolve-domains` for more information. Default: empty
+period
+ Maximum age of logs to analyse. Overrides global config. Only used in smbd-journald at the moment. See :ref:`period` for more information. Default: empty
+
+#####
+httpd
+#####
+
+httpd-resolve-domains
+ DNS lookup configuration for httpd parser only (overrides global config). Accepted values are `ip`, `fqdn`, `fqdn-implicit`, and `host-only`. See the global setting `resolve-domains` for more information. Default: empty
+period
+ Maximum age of logs to analyse. Overrides global config. See :ref:`period` for more information. Default: empty
+
+###
+ufw
+###
+
+ufw-resolve-domains
+ DNS lookup configuration for ufw parser only (overrides global config). Accepted values are `ip`, `fqdn`, `fqdn-implicit`, and `host-only`. See the global setting `resolve-domains` for more information. Default: empty
+period
+ Maximum age of logs to analyse. Overrides global config. See :ref:`period` for more information. Default: empty
+
+####
+sudo
+####
+
+period
+ Maximum age of logs to analyse. Overrides global config. See :ref:`period` for more information. Default: empty
+
+#########
+systemctl
+#########
+
+period
+ Maximum age of logs to analyse. Overrides global config. See :ref:`period` for more information. Default: empty
+show-all
+ Whether to include services which are running but okay in the output. Default: true
+
+
+
+========================
+Log period configuration
+========================
+
+Some parsers support custom time periods to be searched for logs. This period is specified as a string in the configuration section of supported parsers, and is a timespan relative to the time when the parser is initialised. The time parsing functionality uses a modified version of `timeparse.py` originally written by Will Roberts under the MIT License. The following excerpt is taken from the documentation of `timeparse.py`:
+
+.. autofunction:: logparse.timeparse.strseconds
+
.. _variables:
=====================