- Remove BuildRequires on gamin, it's being removed.

OBS-URL: https://build.opensuse.org/package/show/server:monitoring/prelude-lml?expand=0&rev=26

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

prelude-lml-5.2.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6d386d02fea12e45e215f038b19572278414ddbc75d7f9d9f2a43171ba5faf5f
+size 1584414

prelude-lml-conf_rsyslog.patch

@@ -0,0 +1,38 @@
+From: Thomas Andrejak <thomas.andrejak@gmail.com>
+Date: 2017-02-27 23:25:00 +0100
+References: Specific
+Upstream: no
+Subject: Add default syslog format to work out of the box
+
+--- prelude-lml.conf	2016-09-15 09:03:39.835000884 +0200
++++ prelude-lml.conf	2017-02-18 00:46:18.061525071 +0100
+@@ -88,6 +88,13 @@
+ #
+ 
+ 
++[format=rsyslog]
++time-format = "%Y-%m-%dT%H:%M:%S" 
++prefix-regex = "^(?P<timestamp>.{20}).{12} (?P<hostname>\S+) (?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?"
++file = /var/log/messages
++file = /var/log/secure
++
++
+ [format=syslog]
+ time-format = "%b %d %H:%M:%S"
+ prefix-regex = "^(?P<timestamp>.{15}) (?P<hostname>\S+) (?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?"
+--- prelude-lml.conf.in	2016-09-15 08:49:20.170000884 +0200
++++ prelude-lml.conf.in	2017-02-18 00:46:47.168897144 +0100
+@@ -88,6 +88,13 @@
+ #
+ 
+ 
++[format=rsyslog]
++time-format = "%Y-%m-%dT%H:%M:%S" 
++prefix-regex = "^(?P<timestamp>.{20}).{12} (?P<hostname>\S+) (?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?"
++file = /var/log/messages
++file = /var/log/secure
++
++
+ [format=syslog]
+ time-format = "%b %d %H:%M:%S"
+ prefix-regex = "^(?P<timestamp>.{15}) (?P<hostname>\S+) (?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?"

prelude-lml-fix_check.patch

@@ -0,0 +1,510 @@
+From: Thomas Andrejak <thomas.andrejak@gmail.com>
+Date: 2017-10-04 07:00:00 +0100
+References: http://prelude-siem.org/issues/872
+Upstream: submitted
+Subject: Fix make check
+
+diff -Nru src/file-server.c src/file-server.c
+--- ./src/file-server.c	2016-09-15 08:49:20.170000884 +0200
++++ ./src/file-server.c	2017-01-28 18:18:06.634761198 +0100
+@@ -346,6 +346,9 @@
+         ssize_t ret;
+         struct stat st;
+ 
++	if ( config.dry_run )
++		return 0;
++
+         if ( fstat(fileno(monitor->metadata_fd), &st) < 0 ) {
+                 prelude_log(PRELUDE_LOG_WARN, "fstat failed : %s.\n", strerror(errno));
+                 return -1;
+@@ -416,6 +419,9 @@
+         off_t offset = 0, available = 65535;
+         unsigned char msum[METADATA_SIZE], *sumptr = msum;
+ 
++	if ( config.dry_run )
++		return 0;
++
+         filename = lml_log_source_get_name(monitor->source);
+ 
+         ret = file_metadata_read(monitor, &offset, &sumptr);
+@@ -477,6 +483,9 @@
+         int fd;
+         char file[PATH_MAX], path[PATH_MAX], *ptr;
+ 
++	if ( config.dry_run )
++		return 0;
++
+         strncpy(file, lml_log_source_get_name(monitor->source), sizeof(file));
+ 
+         while ( (ptr = strchr(file, '/')) )
+diff -Nru src/prelude-lml.c src/prelude-lml.c
+--- ./src/prelude-lml.c	2016-09-15 08:49:20.171000884 +0200
++++ ./src/prelude-lml.c	2017-01-28 18:19:25.373006781 +0100
+@@ -361,6 +361,7 @@
+         ev_timer evt;
+         struct timeval end;
+         struct sigaction action;
++	const char *env;
+ 
+         /*
+          * Initialize libev.
+@@ -389,7 +390,11 @@
+         if ( ret < 0 )
+                 return ret;
+ 
+-        ret = log_plugins_init(LOG_PLUGIN_DIR, lml_root_optlist);
++	env = getenv("PRELUDE_LML_PLUGIN_DIR");
++	if ( !env )
++		env = LOG_PLUGIN_DIR;
++
++        ret = log_plugins_init(env, lml_root_optlist);
+         if (ret < 0)
+                 return ret;
+ 
+diff -Nru src/regex.c src/regex.c
+--- ./src/regex.c	2016-09-15 08:49:20.172000884 +0200
++++ ./src/regex.c	2017-01-28 18:17:45.931222693 +0100
+@@ -156,16 +156,20 @@
+         FILE *fd;
+         size_t len;
+         char buf[1024];
+-        const char *errptr;
++        const char *errptr, *env;
+         int line = 0, erroff;
+         regex_table_item_t *rt;
+         pcre_extra *regex_regex_extra = NULL;
+         char *regex, *options, *source, *plugin;
+         pcre *regex_regex = NULL, *source_regex = NULL;
+ 
+-        fd = fopen(REGEX_CONF, "r");
++	env = getenv("PRELUDE_LML_REGEX_CONF");
++	if ( !env )
++		env = REGEX_CONF;
++
++        fd = fopen(env, "r");
+         if ( ! fd ) {
+-                prelude_log(PRELUDE_LOG_ERR, "couldn't open config file %s.\n", REGEX_CONF);
++                prelude_log(PRELUDE_LOG_ERR, "couldn't open config file %s.\n", env);
+                 return -1;
+         }
+ 
+diff -Nru tests/Makefile.in tests/Makefile.in
+--- ./tests/Makefile.in	2016-09-15 09:03:00.925000884 +0200
++++ ./tests/Makefile.in	2017-01-28 18:22:00.268558881 +0100
+@@ -1362,7 +1362,10 @@
+ 	cd $(top_srcdir)/prelude-lml && make
+ 
+ check-am:
+-	$(srcdir)/loggrep.py $(top_srcdir)/plugins/pcre/ruleset/*.rules | $(top_srcdir)/src/prelude-lml --quiet --dry-run --metadata=nowrite,head --batch-mode --no-resolve --pcre --dump-unmatched --config $(srcdir)/prelude-lml.conf 2>&1 | $(GREP) -Fvf $(srcdir)/ignored
++	rm -rf plugins && mkdir plugins
++	cp $(top_srcdir)/plugins/*/.libs/*.so plugins
++	./loggrep.py regex.test | PRELUDE_LML_PLUGIN_DIR=plugins PRELUDE_LML_REGEX_CONF=plugins.rules $(top_srcdir)/src/prelude-lml --quiet --dry-run --metadata=nowrite,head --batch-mode --no-resolve --pcre --dump-unmatched --config $(srcdir)/prelude-lml.conf 2>&1 | $(GREP) -Fvf $(srcdir)/ignored
++	rm -rf plugins
+ 
+ -include $(top_srcdir)/git.mk
+ 
+diff -Nru tests/plugins.rules tests/plugins.rules
+--- ./tests/plugins.rules	1970-01-01 01:00:00.000000000 +0100
++++ ./tests/plugins.rules	2017-01-28 18:20:24.857682680 +0100
+@@ -0,0 +1 @@
++  * 		Pcre		-			*
+diff -Nru tests/prelude-lml.conf tests/prelude-lml.conf
+--- ./tests/prelude-lml.conf	2016-09-15 08:49:20.172000884 +0200
++++ ./tests/prelude-lml.conf	2017-01-28 18:20:30.037567378 +0100
+@@ -3,51 +3,5 @@
+ prefix-regex = "^(?P<timestamp>.{15}) (?P<hostname>\S+) (?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?"
+ file = -
+ 
+-[format=apache]
+-time-format = "%d/%b/%Y:%H:%M:%S"
+-prefix-regex = "(?P<hostname>\S+) \S+ \S+ \[(?P<timestamp>.{20}) [+-].{4}\] "
+-file = -
+-
+-[format=apache-error]
+-#[Sat Mar 12 22:56:12 2005] [error] [client 127.0.0.1]
+-time-format = "%a %b %d %H:%M:%S %Y"
+-prefix-regex = "^\[(?P<timestamp>.{24})\]"
+-file = -
+-
+-[format=checkpoint]
+-time-format = "%d%b%Y %H:%M:%S"
+-prefix-regex = "^(?P<timestamp>.{20})"
+-file = -
+-
+-[format=squid]
+-#2005/11/28 06:00:44|
+-time-format = "%Y/%m/%d %H:%M:%S"
+-prefix-regex = "^(?P<timestamp>.{19})\| "
+-file = -
+-
+-[format=honeyd]
+-#2006-08-18-12:21:12.1239
+-time-format = "%Y-%m-%d-%H:%M:%S"
+-prefix-regex = "^(?P<timestamp>.{19})\."
+-file = -
+-
+-[format=honeytrap]
+-#[2007-05-26 16:48:09]
+-time-format = "%Y-%m-%d %H:%M:%S"
+-prefix-regex = "^\[(?P<timestamp>.{19})\]"
+-file = -
+-
+-[format=kojoney]
+-#2007/04/12 21:57 CEST
+-time-format = "%Y/%m/%d %H:%M"
+-prefix-regex = "^(?P<timestamp>.{16}) "
+-file = -
+-
+-[format=rishi]
+-#2007-05-20 12:49:57,644
+-time-format = "%Y-%m-%d %H:%M:%S"
+-prefix-regex = "^(?P<timestamp>.{19}),"
+-file = -
+-
+ [Pcre]
+-ruleset=../plugins/pcre/ruleset/pcre.rules
++ruleset=./regex.test
+diff -Nru tests/regex.test tests/regex.test
+--- ./tests/regex.test	1970-01-01 01:00:00.000000000 +0100
++++ ./tests/regex.test	2017-01-28 18:20:17.921837067 +0100
+@@ -0,0 +1,340 @@
++#FULLNAME: SSH
++#VERSION: 1.0
++#DESCRIPTION: SSH, is a cryptographic (encrypted) network protocol to allow remote login and other network services to operate securely over an unsecured network.
++
++#####
++#
++# Copyright (C) 2002,2004 Nicolas Delon <nicolas@prelude-siem.org>
++# Copyright (C) 2005 G Ramon Gomez <gene at gomezbrothers dot com>
++# All Rights Reserved
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 2, or (at your option)
++# any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License along
++# with this program; if not, write to the Free Software Foundation, Inc.,
++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++#
++#####
++
++###################
++# Logging succeed #
++###################
++
++#LOG:Dec  8 14:45:17 itguxweb1 sshd[32112]: Accepted publickey for root from 12.34.56.78 port 56634 ssh2
++regex=for root from|user root; \
++ id=1907; \
++ assessment.impact.type=admin; \
++ assessment.impact.severity=medium; \
++ silent; chained
++
++#LOG:Dec  8 14:45:17 itguxweb1 sshd[32112]: Accepted publickey for root from 12.34.56.78 port 56634 ssh2
++#LOG:Jan 14 03:30:44 mail sshd[20298]: Accepted publickey for root from fec0:0:201::3 port 63018 ssh2
++#LOG:Jan 14 03:30:44 mail sshd[20298]: Accepted publickey for john from fec0:0:201::3 port 63018 ssh2
++#LOG:Dec 10 10:33:19 itguxweb2 sshd[29738]: Accepted password for ekwong from 12.34.56.78 port 39852 ssh2
++regex=Accepted (\S+) for (\S+) from (\S+) port (\d+); \
++ classification.text=Remote Login; \
++ optgoto=1907; \
++ id=1908; \
++ revision=3; \
++ analyzer(0).name=sshd; \
++ analyzer(0).manufacturer=OpenSSH; \
++ analyzer(0).class=Authentication; \
++ assessment.impact.severity=low; \
++ assessment.impact.completion=succeeded; \
++ assessment.impact.type=user; \
++ assessment.impact.description=User $2 logged in from $3 port $4 using the $1 method; \
++ source(0).node.address(0).address=$3; \
++ source(0).service.port=$4; \
++ source(0).service.iana_protocol_name=tcp; \
++ source(0).service.iana_protocol_number=6; \
++ target(0).service.port=22; \
++ target(0).service.name=ssh; \
++ target(0).service.iana_protocol_name=tcp; \
++ target(0).service.iana_protocol_number=6; \
++ target(0).user.category=os-device; \
++ target(0).user.user_id(0).type=target-user; \
++ target(0).user.user_id(0).name=$2; \
++ additional_data(0).type=string; \
++ additional_data(0).meaning=Authentication method; \
++ additional_data(0).data=$1; \
++ last;
++
++
++################
++# Login failed #
++################
++
++#LOG:Dec  9 16:00:35 itguxweb2 sshd[24541]: Failed password for root from 12.34.56.78 port 1806
++#LOG:Dec  9 21:29:56 devel5 sshd[17554]: Failed password for akarade from 12.34.56.78 port 4214
++regex=Failed (\S+) for (\S+) from (\S+) port (\d+); \
++ optgoto=1907; \
++ classification.text=Remote Login; \
++ id=1902; \
++ revision=3; \
++ analyzer(0).name=sshd; \
++ analyzer(0).manufacturer=OpenSSH; \
++ analyzer(0).class=Authentication; \
++ assessment.impact.severity=medium; \
++ assessment.impact.completion=failed; \
++ assessment.impact.type=user; \
++ assessment.impact.description=Someone tried to login as $2 from $3 port $4 using the $1 method; \
++ source(0).node.address(0).address=$3; \
++ source(0).service.port=$4; \
++ source(0).service.iana_protocol_name=tcp; \
++ source(0).service.iana_protocol_number=6; \
++ target(0).service.port=22; \
++ target(0).service.name=ssh; \
++ target(0).service.iana_protocol_name=tcp; \
++ target(0).service.iana_protocol_number=6; \
++ target(0).user.category=os-device; \
++ target(0).user.user_id(0).type=target-user; \
++ target(0).user.user_id(0).name=$2; \
++ additional_data(0).type=string; \
++ additional_data(0).meaning=Authentication method; \
++ additional_data(0).data=$1; \
++ last
++
++
++##############################################
++# Invalid (not existing) user tried to login #
++##############################################
++
++#LOG:Jan 20 14:10:02 blah sshd[25443]: Invalid user admin from 213.201.222.134
++regex=(Illegal|Invalid) user (\S+) from (\S+); \
++ classification.text=User login failed with an invalid user; \
++ id=1904; \
++ revision=2; \
++ analyzer(0).name=sshd; \
++ analyzer(0).manufacturer=OpenSSH; \
++ analyzer(0).class=Authentication; \
++ assessment.impact.severity=medium; \
++ assessment.impact.completion=failed; \
++ assessment.impact.type=user; \
++ assessment.impact.description=Someone tried to login with the invalid user "$2" from $3; \
++ source(0).node.address(0).address=$3; \
++ source(0).service.iana_protocol_name=tcp; \
++ source(0).service.iana_protocol_number=6; \
++ target(0).service.port=22; \
++ target(0).service.name=ssh; \
++ target(0).service.iana_protocol_name=tcp; \
++ target(0).service.iana_protocol_number=6; \
++ target(0).user.category=os-device; \
++ target(0).user.user_id(0).type=target-user; \
++ target(0).user.user_id(0).name=$2; \
++ last
++
++##################################################################################
++# User listed in DenyGroups or DenyUsers (sshd_config directives) tried to login #
++##################################################################################
++
++#LOG:Jan  6 22:50:24 localhost sshd[15489]: User nobody not allowed because none of user's groups are listed in AllowGroups
++regex=User (\S+) not allowed because (.*)listed in (\w+); \
++ classification.text=User login failed with a denied user; \
++ id=1905; \
++ revision=3; \
++ analyzer(0).name=sshd; \
++ analyzer(0).manufacturer=OpenSSH; \
++ analyzer(0).class=Authentication; \
++ assessment.impact.severity=medium; \
++ assessment.impact.completion=failed; \
++ assessment.impact.type=user; \
++ assessment.impact.description=User $1 failed to login because $2 listed in $3; \
++ source(0).service.iana_protocol_name=tcp; \
++ source(0).service.iana_protocol_number=6; \
++ target(0).service.port=22; \
++ target(0).service.name=ssh; \
++ target(0).service.iana_protocol_name=tcp; \
++ target(0).service.iana_protocol_number=6; \
++ target(0).user.category=os-device; \
++ target(0).user.user_id(0).type=target-user; \
++ target(0).user.user_id(0).name=$1; \
++ additional_data(0).type=string; \
++ additional_data(0).meaning=ACL; \
++ additional_data(0).data=$3; \
++ additional_data(1).type=string; \
++ additional_data(1).meaning=Failure reason; \
++ additional_data(1).data=$2 listed in $3; \
++ last
++
++##################################################################
++# Sshd did not receive the identification string from the client #
++# (maybe a ssh server recognition)                               #
++##################################################################
++
++#LOG:Jun 10 09:51:57 server sshd[9100]: Did not receive identification string from 1.2.3.4
++regex=Did not receive identification string from (\S+); \
++ classification.text=Server recognition; \
++ id=1906; \
++ revision=2; \
++ analyzer(0).name=sshd; \
++ analyzer(0).manufacturer=OpenSSH; \
++ analyzer(0).class=Authentication; \
++ assessment.impact.severity=medium; \
++ assessment.impact.completion=failed; \
++ assessment.impact.type=recon; \
++ assessment.impact.description=$1 is probably making a server recognition; \
++ source(0).node.address(0).address=$1; \
++ source(0).service.iana_protocol_name=tcp; \
++ source(0).service.iana_protocol_number=6; \
++ target(0).service.port=22; \
++ target(0).service.name=ssh; \
++ target(0).service.iana_protocol_name=tcp; \
++ target(0).service.iana_protocol_number=6; \
++ additional_data(0).type=string; \
++ additional_data(0).meaning=Failure reason; \
++ additional_data(0).data=Did not receive identification string; \
++ last
++
++#########################################################################
++# Forbidden root login                                                  #
++# (directive PermitRootLogin and keyword "no" or "forced-commands-only" #
++# of the sshd_config file)                                              #
++#########################################################################
++
++#LOG:Jan  5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
++regex=ROOT LOGIN REFUSED FROM (\S+); \
++ classification.text=Admin login; \
++ id=1909; \
++ revision=2; \
++ analyzer(0).name=sshd; \
++ analyzer(0).manufacturer=OpenSSH; \
++ analyzer(0).class=Authentication; \
++ assessment.impact.severity=medium; \
++ assessment.impact.completion=failed; \
++ assessment.impact.type=admin; \
++ assessment.impact.description=Root tried to login while it is forbidden; \
++ source(0).node.address(0).address=$1; \
++ source(0).service.iana_protocol_name=tcp; \
++ source(0).service.iana_protocol_number=6; \
++ target(0).service.port=22; \
++ target(0).service.name=ssh; \
++ target(0).service.iana_protocol_name=tcp; \
++ target(0).service.iana_protocol_number=6; \
++ target(0).user.category=os-device; \
++ target(0).user.user_id(0).type=target-user; \
++ target(0).user.user_id(0).name=root; \
++ last
++
++
++# Re: Generic Message Exchange Authentication For SSH
++#               <draft-ietf-secsh-auth-kbdinteract-06.txt>
++#LOG:Jan 14 08:19:21 ras sshd[22774]: input_userauth_request: invalid user remote-mail
++regex=input_userauth_request: (illegal|invalid) user (\S+); \
++ classification.text=Invalid user in authentication request; \
++ id=1910; \
++ revision=3; \
++ analyzer(0).name=sshd; \
++ analyzer(0).manufacturer=OpenSSH; \
++ analyzer(0).class=Authentication; \
++ assessment.impact.severity=medium; \
++ assessment.impact.completion=failed; \
++ assessment.impact.type=user; \
++ assessment.impact.description=General purpose authentication request was blocked. Reason: invalid user $2; \
++ source(0).service.iana_protocol_name=tcp; \
++ source(0).service.iana_protocol_number=6; \
++ target(0).service.port=22; \
++ target(0).service.name=ssh; \
++ target(0).service.iana_protocol_name=tcp; \
++ target(0).service.iana_protocol_number=6; \
++ target(0).user.category=os-device; \
++ target(0).user.user_id(0).type=target-user; \
++ target(0).user.user_id(0).name=$2; \
++ additional_data(0).type=string; \
++ additional_data(0).meaning=Failure reason; \
++ additional_data(0).data=$1 user; \
++ last
++
++# Re: Generic Message Exchange Authentication For SSH
++#               <draft-ietf-secsh-auth-kbdinteract-06.txt>
++# This rule catches several other combinations that can be output by
++# input_userauth_request() in auth2.c
++#LOG:Jan 14 08:19:21 ras sshd[22774]: input_userauth_request: invalid user remote-mail
++regex=input_userauth_request: (.+); \
++ classification.text=Invalid user in authentication request; \
++ id=1911; \
++ revision=2; \
++ analyzer(0).name=sshd; \
++ analyzer(0).manufacturer=OpenSSH; \
++ analyzer(0).class=Authentication; \
++ assessment.impact.severity=medium; \
++ assessment.impact.completion=failed; \
++ assessment.impact.type=user; \
++ assessment.impact.description=General purpose authentication request was blocked. Reason: $1; \
++ source(0).service.iana_protocol_name=tcp; \
++ source(0).service.iana_protocol_number=6; \
++ target(0).service.port=22; \
++ target(0).service.name=ssh; \
++ target(0).service.iana_protocol_name=tcp; \
++ target(0).service.iana_protocol_number=6; \
++ target(0).user.category=os-device; \
++ last
++
++#LOG:Dec  9 18:48:29 itguxweb2 sshd[29536]: Failed password for illegal user ROOT from 12.34.56.78 port 2886
++#LOG:Jan 14 08:19:21 ras sshd[22774]: Failed none for invalid user remote-mail from 192.168.1.22 port 65407 ssh2
++#LOG:Jan 14 11:29:17 ras sshd[18163]: Failed publickey for invalid user fred from fec0:0:201::3 port 62788 ssh2
++#LOG:Jan 14 11:29:17 ras sshd[18163]: Failed publickey for invalid user fred from 1.2.3.4 port 62788 ssh2
++#LOG:Jan 14 11:29:17 ras sshd[18163]: Failed publickey for invalid user fred from hostname port 62788 ssh2
++regex=Failed (\S+) for (illegal|invalid) user (\S+) from (\S+) port (\d+); \
++ classification.text=Remote Login; \
++ optgoto=1907; \
++ id=1912; \
++ revision=3; \
++ analyzer(0).name=sshd; \
++ analyzer(0).manufacturer=OpenSSH; \
++ analyzer(0).class=Authentication; \
++ assessment.impact.severity=medium; \
++ assessment.impact.completion=failed; \
++ assessment.impact.type=admin; \
++ assessment.impact.description=Someone tried to login as $3 from $4 port $5 using the $1 method; \
++ source(0).node.address(0).address=$4; \
++ source(0).service.port=$5; \
++ source(0).service.iana_protocol_name=tcp; \
++ source(0).service.iana_protocol_number=6; \
++ target(0).service.port=22; \
++ target(0).service.name=ssh; \
++ target(0).service.iana_protocol_name=tcp; \
++ target(0).service.iana_protocol_number=6; \
++ target(0).user.category=os-device; \
++ target(0).user.user_id(0).type=target-user; \
++ target(0).user.user_id(0).name=$3; \
++ additional_data(0).type=string; \
++ additional_data(0).meaning=Authentication method; \
++ additional_data(0).data=$1; \
++ additional_data(1).type=string; \
++ additional_data(1).meaning=Failure reason; \
++ additional_data(1).data=$2 user; \
++ last
++
++#LOG:Oct  2 14:40:05 suse-9.2 sshd[18725]: error: PAM: Authentication failure for root from unknown.anywhere.net
++#LOG:Oct  2 14:46:52 suse-9.2 sshd[18804]: error: PAM: Authentication failure for foobar from unknown.anywhere.net
++regex=error: PAM: Authentication failure for (\S+) from (\S+); \
++ classification.text=Remote Login; \
++ optgoto=1907; \
++ id=1914; \
++ revision=2; \
++ analyzer(0).name=sshd; \
++ analyzer(0).manufacturer=OpenSSH; \
++ analyzer(0).class=Authentication; \
++ assessment.impact.severity=medium; \
++ assessment.impact.completion=failed; \
++ assessment.impact.type=user; \
++ assessment.impact.description=Someone tried to login as $1 from $2; \
++ source(0).node.name=$2; \
++ source(0).service.iana_protocol_name=tcp; \
++ source(0).service.iana_protocol_number=6; \
++ target(0).service.port=22; \
++ target(0).service.name=ssh; \
++ target(0).service.iana_protocol_name=tcp; \
++ target(0).service.iana_protocol_number=6; \
++ target(0).user.category=os-device; \
++ target(0).user.user_id(0).type=target-user; \
++ target(0).user.user_id(0).name=$1; \
++ last

prelude-lml-fix_etc_perms.patch

@@ -0,0 +1,45 @@
+From: Thomas Andrejak <thomas.andrejak@gmail.com>
+Date: 2017-10-04 07:00:00 +0100
+References: http://prelude-siem.org/issues/870
+Upstream: submitted
+Subject: Fix Prelude LML dirs permissions
+
+--- ./Makefile.in	2016-09-15 09:03:01.116000884 +0200
++++ ./Makefile.in	2017-01-26 07:38:35.217447516 +0100
+@@ -1762,9 +1762,9 @@
+ 
+ 
+ install-data-local:
+-	$(INSTALL) -m 700 -d $(DESTDIR)$(configdir);
+-	$(INSTALL) -m 700 -d $(DESTDIR)$(lml_run_dir);
+-	$(INSTALL) -m 700 -d $(DESTDIR)$(metadata_dir)
++	$(INSTALL) -m 755 -d $(DESTDIR)$(configdir);
++	$(INSTALL) -m 755 -d $(DESTDIR)$(lml_run_dir);
++	$(INSTALL) -m 755 -d $(DESTDIR)$(metadata_dir)
+ 	@if test -f $(DESTDIR)$(configdir)/prelude-lml.conf; then         					\
+ 		echo "********************************************************************************"; 	\
+                 echo;                                                                                    	\
+@@ -1772,9 +1772,9 @@
+                 echo "Installing default configuration in $(DESTDIR)$(configdir)/prelude-lml.conf-dist";        \
+                 echo;                                                                                    	\
+                 echo "********************************************************************************"; 	\
+-		$(INSTALL) -m 600 $(top_srcdir)/prelude-lml.conf $(DESTDIR)$(configdir)/prelude-lml.conf-dist;  \
++		$(INSTALL) -m 644 $(top_srcdir)/prelude-lml.conf $(DESTDIR)$(configdir)/prelude-lml.conf-dist;  \
+         else                                                                                             	\
+-                $(INSTALL) -m 600 $(top_srcdir)/prelude-lml.conf $(DESTDIR)$(configdir)/;                       \
++                $(INSTALL) -m 644 $(top_srcdir)/prelude-lml.conf $(DESTDIR)$(configdir)/;                       \
+         fi
+ 	@if test -f $(DESTDIR)$(configdir)/plugins.rules; then         					\
+ 		echo "********************************************************************************"; 	\
+@@ -1783,9 +1783,9 @@
+                 echo "Installing default configuration in $(DESTDIR)$(configdir)/plugins.rules-dist";	        \
+                 echo;                                                                                    	\
+                 echo "********************************************************************************"; 	\
+-		$(INSTALL) -m 600 $(top_srcdir)/plugins.rules $(DESTDIR)$(configdir)/plugins.rules-dist;	\
++		$(INSTALL) -m 644 $(top_srcdir)/plugins.rules $(DESTDIR)$(configdir)/plugins.rules-dist;	\
+         else                                                                                             	\
+-		$(INSTALL) -m 600 $(top_srcdir)/plugins.rules $(DESTDIR)$(configdir)/;				\
++		$(INSTALL) -m 644 $(top_srcdir)/plugins.rules $(DESTDIR)$(configdir)/;				\
+         fi
+ 
+ uninstall-local:

prelude-lml-tmpfiles.conf

@@ -0,0 +1 @@
+d /run/prelude-lml 0750 root root

prelude-lml.changes

@@ -0,0 +1,92 @@
+-------------------------------------------------------------------
+Fri Nov 15 09:28:18 UTC 2024 - Ana Guerrero <ana.guerrero@suse.com>
+
+- Remove BuildRequires on gamin, it's being removed. 
+
+-------------------------------------------------------------------
+Thu Feb 29 14:51:34 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Use %autosetup macro. Allows to eliminate the usage of deprecated
+  %patchN.
+
+-------------------------------------------------------------------
+Wed Oct 20 08:59:50 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * prelude-lml.service
+
+-------------------------------------------------------------------
+Sun Oct 25 18:29:49 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- prelude-lml 5.2.0:
+  * Fix max-rotation-size-offset parsing
+  * Document the log-max-length option
+- add upstream signing key and verify source signature
+
+-------------------------------------------------------------------
+Mon Feb  3 15:45:03 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to
+  shortcut through the -mini flavors.
+
+-------------------------------------------------------------------
+Fri Oct 25 07:00:00 UTC 2019 - thomas.andrejak@gmail.com
+
+Bump version 5.1.0
+  - Support of Syslog priority field
+  - Fix support of AdditionalData
+  - Update SELinux policies
+
+- Bump spec copyright to 2019
+- Update License field
+
+-------------------------------------------------------------------
+Wed Oct 04 07:00:00 UTC 2017 - thomas.andrejak@gmail.com
+
+- Update to 4.0.0
+- Rename source prelude-lml.run to prelude-lml-tmpfiles.conf 
+- Clean prelude-lml.service
+- Add patchs:
+  - prelude-lml-fix_check.patch: Fix make check
+  - prelude-lml-fix_etc_perms.patch: Fix Prelude LML dirs permissions
+
+-------------------------------------------------------------------
+Thu Mar 23 14:41:36 UTC 2017 - aj@ajaissle.de
+
+- Added %ghost /run/%{name}
+
+-------------------------------------------------------------------
+Fri Feb 10 00:33:55 UTC 2017 - thomas.andrejak@gmail.com
+
+- Update to 3.1.0 (Prelude 3.1.0 released on 14 Sept 2016)
+- Add missing /var/lib/prelude-lml dir
+- Remove unnecessary spool directory
+- Patch the configuration to be naturally OK with rsyslog
+  prelude-lml-conf_rsyslog.patch
+- Spec-Cleaner
+
+-------------------------------------------------------------------
+Thu Jan 26 21:35:45 UTC 2017 - jengelh@inai.de
+
+- Use SUSE RPM group names
+
+-------------------------------------------------------------------
+Thu Sep 15 10:25:42 UTC 2016 - thomas.andrejak@gmail.com
+
+- Update licence from GPL-2.0+ to GPL-3.0+ to include libmissing
+
+-------------------------------------------------------------------
+Sun Sep  4 21:57:53 UTC 2016 - thomas.andrejak@gmail.com
+
+Remove Selinux since it should be directly in Security:SELinux
+
+Clean usage of "-n %{name}-"
+
+-------------------------------------------------------------------
+Tue May  3 21:57:53 UTC 2016 - thomas.andrejak@gmail.com
+
+Initial import
+
+Add systemd files because it is a daemon.
+
+Also package SELinux files.

prelude-lml.keyring

@@ -0,0 +1,25 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.14 (GNU/Linux)
+
+mQGiBE/R25ERBADEyDMws7lO01nlE+eefOWrCtezQu1yBx+UuM1m4jOZZVrmanDS
+zjK1gPqfthopUr8u7YZb3F71iGchMwFZFL4BGCoXjTvB76KVmcqppUQjDfRMW2d1
+F0CazairAM2POYiYGzAqD1ZjVxtyayhXV/gXDLQdrWIJC7NOqIKeL+zlzwCg+AES
+j9o4QLqEiWURtiFpqJ1d4CsD/1jffzqynSUHQvkNW7JmFVYdayp4VZ9PC+GP9UBH
+d59IASh6tvqNUuC6Z9bwQaIeWGM51SAUE4bZJOubrL0pJuCUs5lYMU3o6Ry8Kya2
+VFr0+p/7UGqCHjtHNO0TjIO0hA/KEGyeZ5xoW6/1dOZImoyT2AkSXg2iqCoQQ9IE
+Gz2JA/0cBFrJ81YdkohtZS8f+qZ2b1QPXGM6ohCgA+wtWbqq/Y65AgMu74LVs5cU
+vGGrugZJKhzmOMfJlUVVtlbCR2DpdR40vLu+6hywg18sGkalRRUlNzXMk8/9EwGB
+tfNTTvsmhs5lKtcxS+zTXKNpWZyVBUtUHTCN872J6Z6/Euhe47QzUFJFTFVERSAo
+UmVsZWFzZSBNYW5hZ2VyKSA8Y29udGFjdEBwcmVsdWRlLWlkcy5vcmc+iGIEExEC
+ACIFAk/R25ECGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEDXowMOzZRiY
+qm8AoK7pz7qvV9b1YVh4sOEzUEx2tTjbAJ906X+AN1qF48WPyFE+JmkyqKLm0LkB
+DQRP0duREAQA5REDx5bx6asyYTXGL6VjSDa9DwIhDwXvmyE6zO/I8i8EGrdFb6zn
+XGzT06lVnMoH94OK8aOwgzDOBCtNSfc7+XyAj69VV08sEnr3U7BSN6TKts6SFVaI
+5j6dnnquDVmiF0S8KFODHQyxE0NKP9y4uR7EtX9swZv9gVPvVlyBxQ8AAwUD/A2I
+d5YDihKz62FBEGVIgz3ZN+I1ZXtDhfoVVRXa89DTDsXXCSd3IUyXxGDM1mYwj7Dm
+KpG2Z5ZrULovoQsmdTkdfB3g+oDh3HoKjPiSEAM7tiDo37W5iYkBBiUdw9xCLG2X
+POuGRKfP2cpgp8ACvHQkcrRJwdUwK0B+7Oih8vbFiEkEGBECAAkFAk/R25ECGwwA
+CgkQNejAw7NlGJjDsgCg93tK1pZ0wvaGvpzTnazp4aDGFQcAn1LaS086WZRZgDRZ
+RvZrLThRCzMo
+=3ML2
+-----END PGP PUBLIC KEY BLOCK-----

prelude-lml.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=Log analyzer sensor with IDMEF output
+After=remode_fs.target prelude-manager.service
+
+[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ExecStart=/usr/bin/prelude-lml
+
+[Install]
+WantedBy=multi-user.target

prelude-lml.spec

@@ -0,0 +1,123 @@
+#
+# spec file for package prelude-lml
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+Name:           prelude-lml
+Version:        5.2.0
+Release:        0
+Summary:        The prelude log analyzer
+# Prelude is GPL-2.0+
+# libmissing is LGPL-2.1+
+# libmissing/test is GPL-3.0+
+License:        GPL-2.0-or-later AND LGPL-2.1-only AND GPL-3.0-or-later
+Group:          System/Daemons
+URL:            https://www.prelude-siem.org
+Source0:        https://www.prelude-siem.org/pkg/src/%{version}/%{name}-%{version}.tar.gz
+Source1:        %{name}.service
+Source2:        %{name}-tmpfiles.conf
+Source3:        https://www.prelude-siem.org/pkg/src/%{version}/%{name}-%{version}.tar.gz.sig
+Source4:        https://www.prelude-siem.org/attachments/download/233/RPM-GPG-KEY-Prelude-IDS#/%{name}.keyring
+# Add default syslog format to work out of the box
+Patch0:         %{name}-conf_rsyslog.patch
+# Fix make check
+Patch1:         %{name}-fix_check.patch
+# Fix etc files permissions
+Patch2:         %{name}-fix_etc_perms.patch
+BuildRequires:  libprelude-devel >= 5.2.0
+BuildRequires:  pkgconfig
+BuildRequires:  pkgconfig(gnutls) >= 1.0.17
+BuildRequires:  pkgconfig(icu-io) >= 3.0
+BuildRequires:  pkgconfig(libpcre) >= 4.1
+BuildRequires:  pkgconfig(systemd)
+%{?systemd_ordering}
+
+%description
+Prelude-LML is a log analyser that allows Prelude to collect and
+analyze information from all kind of applications emitting logs or
+syslog messages in order to detect suspicious activities and transform
+them into Prelude-IDMEF alerts. Prelude-LML handles events generated
+by a large set of applications
+
+%package devel
+Summary:        Header files and libraries for prelude-lml development
+Group:          Development/Libraries/C and C++
+Requires:       %{name} = %{version}-%{release}
+Requires:       libprelude-devel >= 5.2.0
+
+%description devel
+Libraries, include files, etc you can use to develop custom
+Prelude LML plugins.
+
+%prep
+%autosetup -p0
+
+%build
+%configure
+%make_build
+
+%install
+mkdir -p %{buildroot}/%{_sysconfdir}/%{name}/ruleset/
+mkdir -p %{buildroot}/%{_sbindir}
+%make_install
+rm -f %{buildroot}/%{_libdir}/%{name}/debug.la
+rm -f %{buildroot}/%{_libdir}/%{name}/pcre.la
+install -d -m 0755 %{buildroot}/%{_tmpfilesdir}
+install -m 0644 %{SOURCE2} %{buildroot}/%{_tmpfilesdir}/%{name}.conf
+mkdir -p %{buildroot}/%{_var}/lib/%{name}
+ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
+rm -rf %{buildroot}/%{_localstatedir}/run/%{name}
+install -D -m 444 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
+
+%pre
+%service_add_pre %{name}.service
+
+%post
+/sbin/ldconfig
+%{_bindir}/systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf
+%service_add_post %{name}.service
+
+%preun
+%service_del_preun %{name}.service
+
+%postun
+/sbin/ldconfig
+%service_del_postun %{name}.service
+
+%files
+%license COPYING
+%doc NEWS HACKING.README README
+%attr(0770,-,-) %dir %{_sysconfdir}/%{name}/
+%config(noreplace) %attr(0640,-,-) %{_sysconfdir}/%{name}/plugins.rules
+%config(noreplace) %attr(0640,-,-) %{_sysconfdir}/%{name}/%{name}.conf
+%attr(0770,-,-) %dir %{_sysconfdir}/%{name}/ruleset/
+%{_bindir}/%{name}
+%dir %{_libdir}/%{name}/
+%{_libdir}/%{name}/debug.so
+%{_libdir}/%{name}/pcre.so
+%{_sbindir}/rc%{name}
+%dir %{_tmpfilesdir}
+%{_tmpfilesdir}/%{name}.conf
+%{_unitdir}/%{name}.service
+%dir %{_var}/lib/%{name}
+%ghost /run/%{name}
+
+%files devel
+%license COPYING
+%dir %{_includedir}/%{name}/
+%{_includedir}/%{name}/%{name}.h
+
+%changelog