twm @twm@bsd.cafe
Public

What is this "sort-of fail2ban?" I talked about in my last post, you may ask. Simple...

I wanted some sort of syslog aggregation but found the popular software packages way too big and complicated (plus in one certain case: cumbersome to configure and poorly documented). Settled on a central syslogd instead.

Having the central syslog was nice, but "grep" was insufficient for more structured searches, so I wrote a small tool to feed it all into a PostgreSQL-DB and a small command line client for querying the DB without having to write a full SQL query every time.

"Hm, when I feed it into the DB I could already extract the interesting parts and have a small and fast index for those?!". Done.

Having that I now can do two things:

1) A single SELECT gets me an accumulated list of bad actor IPs that I can feed into "pf" periodically.

2) A VIEW and another single SELECT gets me an RSS feed of things I like to know about.

These two things were not planned at all when I started with the log aggregation, yet turned out to be incredibly handy.

The whole project has only about 900 lines of code (mostly Perl, some SQL, a tiny bit of Go).

Which selfmade tools do you have?

0
0
0

If you have a fediverse account, you can quote this note from your own instance. Search https://mastodon.bsd.cafe/users/twm/statuses/116210081862100589 on your instance and quote it. (Note that quoting is not supported in Mastodon.)