forked from a2o/snoopy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
snoopy.ini.in
198 lines (177 loc) · 9.3 KB
/
snoopy.ini.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
;;; REQUIRED Section
;
[snoopy]
;;; Log Message Format specification
;
; May consist of:
; - arbitrary text, which is copied to log message as-is,
; - calls to data sources without arguments: %{datasourcename}
; - calls to data sources with argument : %{datasourcename:arg1}
; - calls to data sources with arguments: %{datasourcename:arg1,arg2} <--- if data source supports it
;
; List of available data sources:
; - %{cmdline} ; (available=@enable_datasource_cmdline@) Full command line, with arguments
; - %{cwd} ; (available=@enable_datasource_cwd@) Current working directory
; - %{datetime:fmt} ; (available=@enable_datasource_datetime@) Date and time. The format argument is optional, supports strftime() syntax (%-based conversion specifications, google for "man strftime()") and defaults to ISO 8601 format.
; - %{domain} ; (available=@enable_datasource_domain@) Domain of current system
; - %{egid} ; (available=@enable_datasource_egid@) Effective gid that executed the command
; - %{egroup} ; (available=@enable_datasource_egroup@) Effective group name that executed the command
; - %{env:VAR} ; (available=@enable_datasource_env@) Environmental variable named 'VAR'
; - %{env_all} ; (available=@enable_datasource_env_all@) All environmental varibles, comma separated
; - %{euid} ; (available=@enable_datasource_euid@) Effective uid that executed the command
; - %{eusername} ; (available=@enable_datasource_eusername@) Effective username that executed the command
; - %{filename} ; (available=@enable_datasource_filename@) Full path to executable
; - %{gid} ; (available=@enable_datasource_gid@) Group id that executed the command
; - %{group} ; (available=@enable_datasource_group@) Group name that executed the command
; - %{hostname} ; (available=@enable_datasource_hostname@) Hostname of current system
; - %{login} ; (available=@enable_datasource_login@) Login name (tries getlogin_r() first, then SUDO_USER env variabe, and LOGNAME env as last resort)
; - %{pid} ; (available=@enable_datasource_pid@) ID of process that executed the command
; - %{ppid} ; (available=@enable_datasource_ppid@) Parent process ID of process that executed the command
; - %{rpname} ; (available=@enable_datasource_rpname@) Root process name of process that executed the command
; - %{sid} ; (available=@enable_datasource_sid@) Process id of session group process leader
; - %{snoopy_configure_command} ; (available=@enable_datasource_snoopy_configure_command@) The ./configure command that was used to build Snoopy
; - %{snoopy_threads} ; (available=@enable_datasource_snoopy_threads@) Number of threads that Snoopy currently is configured for
; - %{snoopy_version} ; (available=@enable_datasource_snoopy_version@) Snoopy version
; - %{snoopy_literal:arg} ; (available=@enable_datasource_snoopy_literal@) Dummy data source, only returns its argument literally
; - %{tid} ; (available=@enable_datasource_tid@) Thread ID of process that executed the command
; - %{tid_kernel} ; (available=@enable_datasource_tid_kernel@) Thread ID of process that executed the command, as returned by Linux kernel
; - %{timestamp} ; (available=@enable_datasource_timestamp@) Current Unix timestamp
; - %{timestamp_ms} ; (available=@enable_datasource_timestamp_ms@) Millisecond part of current Unix timestamp
; - %{timestamp_us} ; (available=@enable_datasource_timestamp_us@) Microsecond part of current Unix timestamp
; - %{tty} ; (available=@enable_datasource_tty@) Which TTY the command was run on
; - %{tty_uid} ; (available=@enable_datasource_tty_uid@) TTY uid
; - %{tty_username} ; (available=@enable_datasource_tty_username@) TTY username
; - %{uid} ; (available=@enable_datasource_uid@) User id that executed the command
; - %{username} ; (available=@enable_datasource_username@) Username that executed the command
;
; Availability (yes/no):
; This flag signifies whether this build of Snoopy has particular data source
; built-in or not. If particular data source is not available and its use is
; desired, then Snoopy must be rebuilt with flags that enable given data
; source.
;
; Default value:
; "@SNOOPY_CONF_MESSAGE_FORMAT@"
;
; Examples:
;message_format = "useless static log entry that gets logged on every program execution"
;message_format = "uid=%{uid}" ; <--- this would only log uids who execute programs, nothing else;
;message_format = "uid=%{uid} tty=%{tty} cmdline=%{cmdline}" ; <--- logs uid + tty + command that is executed
;;; Filter Chain specification
;
; Must comply with the following rules:
; - one or more filters may be specified, separated by semicolon,
; - each filter may contain argument that follows the colon,
; - filter may accept multiple arguments, separated by comma,
; - filter chain must not contain any spaces (allowed in filter arguments, but generally discouraged).
;
; List of available filters:
; - exclude_spawns_of ; (available=@enable_filter_exclude_spawns_of@) Exclude log entries that occur in specified process trees
; - exclude_uid ; (available=@enable_filter_exclude_uid@) Exclude these UIDs from logging
; - only_root ; (available=@enable_filter_only_root@) Only log root commands
; - only_tty ; (available=@enable_filter_only_tty@) Only log commands associated with a TTY
; - only_uid ; (available=@enable_filter_only_uid@) Only log commands executed by these UIDs
;
; Availability (yes/no):
; This flag signifies whether this build of Snoopy has particular filter
; built-in or not. If particular filter is not available and its use is
; desired, then Snoopy must be rebuilt with flags that enable given filter.
;
; Sample definitions with explanations:
; - filter_chain = "exclude_uid:0" # Log all commands, except the ones executed by root
; - filter_chain = "exclude_uid:1,2,3" # Log all commands, except those executed by users with UIDs 1, 2 and 3
; - filter_chain = "only_uid:0" # Log only root commands
; - filter_chain = "exclude_spawns_of:cron,my_daemon" # Do not log commands spawned by cron or my_daemon
; - filter_chain = "filter1:arg11;filter2:arg21,arg22;filter3:arg31,32,33"
;
; Default value:
; "" (empty string)
;
; Examples:
;filter_chain = ""
;filter_chain = "only_uid:0"
;filter_chain = "only_uid:10000"
;filter_chain = "exclude_uid:0"
;;; Output
;
; Where messages get sent to
;
; List of available outputs:
; - devlog ; (available=@enable_output_devlog@) Default, writes directly to /dev/log.
; - devnull ; (available=@enable_output_devnull@) Black hole.
; - devtty ; (available=@enable_output_devtty@) Write to current tty via /dev/tty.
; - file ; (available=@enable_output_file@) Write directly to file. (NOTICE: Make sure file has proper permissions set for non-root users.)
; - socket ; (available=@enable_output_socket@) Built-in output. As argument it requires an absolute path of socket to write to.
; - stderr ; (available=@enable_output_stderr@) Write to STDERR. Mainly useful for debugging purposes.
; - stdout ; (available=@enable_output_stdout@) Write to STDOUT. Mainly useful for debugging purposes.
; - syslog ; (available=@enable_output_syslog@) Previuosly-default (WARNING: DO NOT USE syslog OUTPUT WITH systemd - IT WILL HANG YOUR SYSTEM ON BOOT)
;
; Availability (yes/no):
; This flag signifies whether this build of Snoopy has particular output
; built-in or not. If particular output is not available and its use is
; desired, then Snoopy must be rebuilt with flags that enable given output.
;
; List of outputs pending implementation (patches welcome!):
; - console ; TODO
; - journald ; TODO
;
; Default value:
; devlog
; (previously 'syslog' was default value, but due to systemd issues default was changed)
; (to raw device writing as syslogd blocks syslog() calls if journald is not running)
;
; Example:
;output = console
;output = devlog
;output = file:/var/log/snoopy.log
;output = socket:/var/run/socket-for-snoopy.sock
;;; Error Logging
;
; Whether to log error messages or not.
; This should generally be disabled, as it may generate lots of error logs.
;
; The most appropriate usage of this parameter is when:
; - you are developing new data source
; - you are trying to configure message format and are having problems with it
;
; Default value:
; no (unless changed by ./configure --enable-error-logging to yes)
;
; Example:
;error_logging = yes
;;; Syslog Facility
;
; What syslog facility to use. Can be prefixed with 'LOG_'.
;
; Possible values:
; One of AUTH|AUTHPRIV|CRON|DAEMON|FTP|KERN|LOCAL[0-7]|LPR|MAIL|NEWS|SYSLOG|USER|UUCP
;
; Default value:
; LOG_AUTHPRIV (unless changed by ./configure --with-syslog-facility=FACILITY)
;
; Example:
;syslog_facility = LOG_AUTHPRIV
;;; Syslog Ident
;
; What syslog ident (program name) to use.
;
; Possible values:
; Any non-spaced string.
;
; Default value:
; "snoopy" (unless changed by ./configure --with-syslog-ident="other")
;
; Example:
;syslog_ident = "my-ident-string"
;;; Syslog Level
;
; What syslog level to use. Can be prefixed with 'LOG_'.
;
; Possible values:
; One of EMERG|ALERT|CRIT|ERR|WARNING|NOTICE|INFO|DEBUG
;
; Default value:
; LOG_INFO (unless changed by ./configure --with-syslog-level=LEVEL)
;
; Example:
;syslog_level = LOG_INFO