fido.conf (5) - Linux Manuals

NAME

fido.conf

SYNOPSIS

fido.conf

The default file /etc/fido/fido.conf You can override the default file with the FIDORC ENV variable or the -f /path/file command line option.

DESCRIPTION

fido.conf is the configuration file for fido. The file consists of two parts, GLOBAL settings and FILE settings. GLOBAL settings are best defined at the top of the file in key = value format. FILE settings are distinguished with a filename followed by brackets {}. Key = value pairs inside the brackets apply only to that file. If a value isn't set at the FILE level, then fido applies a GLOBAL setting. Here's an example:

  # GLOBAL SETTINGS
  log   = syslog
  pid   = /var/run/fido.pid

  # FILE SETTINGS
  /var/log/messages {
    log = /var/log/fido.log
  }

In this example, we've set 'log' twice. Once at the GLOBAL level and once at the FILE level. The FILE level takes precedent. In this case all logged activity for /var/log/messages monitoring will go to /var/log/fido.log If we log activity for other files that don't have a 'log' specified, then it will go to syslog.

Here is a list of available settings:

log

Use this setting to direct logging output. Its values can be either 'syslog' or '/path/to/file' This option is available at both the GLOBAL and FILE levels.

  log = syslog
  log = /var/log/fido.log

pid

Use this setting to assign a file to hold fido's process ID (pid). This option is available only at the GLOBAL level. The default setting is /var/run/fido.pid

  pid = /home/jeff/var/fido.pid

daemon

Use this option to run fido in the background as a daemon. By default, fido will run as a daemon. This setting is available only at the global level. It takes one of two values, true or false. It runs in the foreground when the setting is 'false'

rulesdir

fido monitors a log file and searches for pattern matches. These patterns are regular expressions that can be stored in a rules file. This directive tells fido where to look for its rules. By default, it will look in /etc/fido/rules You can override the default with this setting. This option is available ONLY at the GLOBAL level.

  rulesdir = /usr/local/etc/fido/rules

rules

This is a FILES level directive that tells fido where to find its pattern matches. It can take one of three different values, a regex, the 'modified' directive or a file name. If the value is a regex, then fido will use that rule as it parses the file it's watching. If the value is the 'modified' directive, then it will trigger an alert each time the file is modified. If the value is a file name, then it will read $rulesdir/$rules for all it's patterns. The benefit of using a file is that you can set many patterns, one on each line. fido will try each line as it looks for a match.

  rules = modified
  rules = .*OutOfMemory.*
  rules = exceeds N seconds|minutes|hours|days
  rules = haha.conf

In the first example, fido will trigger an action if the modification date of the file it's monitoring is changed. In the second example, it will tail the file it's monitoring and trigger an action each time it matches the '.*OutOfMemory.*' pattern. In the third example, it will triggern an action if the file's timestamp exceeds a designated time. If the file we're monitoring is a directory, then an alert will be triggered if any file in that directory exceeds the designated time. In the final example, it will trigger an action each time it matches a pattern inside $rulesdir/haha.conf

action

This is a FILES level directive that tells fido what to do in the event of a pattern match. Generally, you'll want to specify a script although you can specify a program with parameters:

  action = echo "action alert!!!!" | /usr/sbin/sendmail -v jeff [at] joedog.org
  action = /home/jeff/bin/haha

throttle

This is a FILES level directive which tells fido to delay place a delay between actions. This is useful to avoid flooding inboxes with emails or node managers with SMTP traps. The trottle format is 'throttle = N denomination' where 'N' is a number and 'denomination' is either 'seconds', 'minutes', 'hours' or 'days'.

  throttle = 15 minutes
  throttle = 1 hour
  throttle = 1 day(s)

exclude

This is a FILES level directive that only works when you monitor directories with the exceeds directive. The format is 'exclude = [pattern]' where pattern is a regular expression. Consider this:

/export {
  rule    exceeds 7 days
  exclude ^\.|CVS|Makefile }

Given this file block, fido will execute an action if any file inside the directory /export is older than 7 days but does NOT start with '.' nor is it named CVS or Makefile.

capture

This is a FILES level directive that tells fido to log the output from the action directive mentioned above. If you're running sendmail -v, then it will log all that verbose output to its selected logging method. Good for debugging it takes one of two values, 'true' or 'false' - if false, it won't log output. The default is false

  capture = true
  capture = false

user

This is a GLOBAL setting in which we specify which user ID fido will run under. You'll need to select a user that has read permissions to the file it's monitoring and write permissions to the directory in which it's logging. It is preferred that you select the least privileged user possible.

  user = jboss

group

This is a GLOBAL setting in which we specify with group ID fido will run under. Like 'user' we recommend you select the least privileged group possible

  group = jboss

SAMPLE FILE

  #
  # Global values 
  #
  log      = syslog
  pid      = /var/run/fido.pid
  daemon   = true
  rulesdir = /etc/fido/rules
  user     = root
  group    = daemon

  /var/log/httpd/access_log {
    rules  = .*siege-.*tar.gz.*
    action = /usr/bin/tally
    log    = /var/log/fido.log
  }

  /var/log/maillog {
   rules  = maillog.conf
   action = /usr/bin/react
  }

  /var/log/haha.log {
    rules   = ^haha.*
    action  = echo "alert!!!!" | /usr/sbin/sendmail -v jeff [at] joedog.org
    capture = true
  }