Log Agent
Package name: intrudect-logagent
Log Agent monitors specified log files for user-defined regular expressions. If a line's content matches a regular expression, an alert is sent to the central web UI. The monitored log files may include system logs, application logs, etc. On systems using systemd, journald can be monitored directly as well.
Configuration
The initial example (not default) configuration for Log Agent can be created in the web UI under Agents > Add new syslog agent. After saving and downloading it, store the configuration on the machine running the agent at /opt/intrudect-logagent/etc/config.json. Once in place, Log Agent will request an updated configuration from the web UI every minute.
Hostname
If the hostname is not specified, the machine's own hostname will be used by default. If needed, this value can be overridden. For example, if the machine's name is www, it can be overwritten to www.example.com.
Logfiles
Multiple log file entries can be added to Log Agent. For each log file, the Filename must be specified to define the monitored file.
The Conditions value allows you to add multiple conditions. The Message and Level values allow you to set the general title of the alert and its severity level. Additionally, the RegexMatch must be specified, which defines the string to search for in regex format.
Logfiles don't have to be limited to syslog files, they can be application logfiles, debug files, webserver error files (don't try it on public server though), etc.
Timestamp removal
The timestamp at the beginning of each line should be excluded from the message sent to the web UI, otherwise every line is unique and repeated events are not deduplicated. There are two ways to do this — both work, but only one should be used per log file entry. If both are set, TimestampRegex is used.
TimestampRegex removes the first match of a regular expression from the line. This is the recommended way, as it works regardless of the timestamp format and hostname length. The following pattern removes both classic syslog and RFC3339 timestamps together with the hostname:
"TimestampRegex": "^(?:[A-Z][a-z]{2}\\s+\\d+\\s+\\d{2}:\\d{2}:\\d{2}|\\d{4}-\\d{2}-\\d{2}T\\S+)\\s+\\S+\\s+"
DateTime removes a fixed byte range [start, end] from the line. It only works when the timestamp always has the same length:
Logfile example
Define alert for failed login. In Debian based systems authentication info is logged into /var/log/auth.log
Line containing pam authentication failure info:
2025-02-01T23:06:35.106807+02:00 docker sshd[359956]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 user=root
"Logfiles": [
{
"Filename": "/var/log/auth.log",
"TimestampRegex": "^(?:[A-Z][a-z]{2}\\s+\\d+\\s+\\d{2}:\\d{2}:\\d{2}|\\d{4}-\\d{2}-\\d{2}T\\S+)\\s+\\S+\\s+",
"Conditions": [
{
"Message": "LOGIN FAILURE",
"Level": 10,
"RegexMatch": "(.*)pam_unix(.*)authentication failure(.*)"
}
]
}
]
Journals
On systems where log files are not written (no rsyslog installed), Log Agent can read the systemd journal directly through journalctl. Each entry needs a unique Name. Matches filters the journal using journalctl match expressions (FIELD=VALUE, + acts as OR); an empty list reads the whole journal. Conditions work the same way as for log files.
Journal lines are given to the regex conditions in the form identifier[pid]: message, for example:
sshd[359956]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 user=root
There is no timestamp or hostname in journal lines, but the PID changes between processes, so TimestampRegex can be used to remove it for deduplication.
Journal example
The same failed login alert read from the journal instead of /var/log/auth.log: