journalwatch: ignore failed SSH attempts... there are just too many...
authorRalf Jung <post@ralfj.de>
Sun, 15 Apr 2018 13:35:42 +0000 (15:35 +0200)
committerRalf Jung <post@ralfj.de>
Sun, 15 Apr 2018 13:35:42 +0000 (15:35 +0200)
roles/journalwatch/files/config [moved from roles/journalwatch/templates/config with 85% similarity]
roles/journalwatch/files/patterns [moved from roles/journalwatch/templates/patterns with 93% similarity]
roles/journalwatch/tasks/journalwatch.yml

similarity index 85%
rename from roles/journalwatch/templates/config
rename to roles/journalwatch/files/config
index 8da85b8..468a7b2 100644 (file)
@@ -11,5 +11,5 @@
 priority=5
 mail_from=root
 mail_to=root
-mail_subject={hostname}: {count} system events
+mail_subject={hostname}: {count} system events (journalwatch)
 mail_binary=/usr/sbin/sendmail
similarity index 93%
rename from roles/journalwatch/templates/patterns
rename to roles/journalwatch/files/patterns
index 8b5d7d2..ef042a2 100644 (file)
@@ -59,6 +59,8 @@ warning: non-SMTP command from \w+\[[\da-fA-F.:]+\]: .*
 SYSLOG_IDENTIFIER = sshd
 error: Received disconnect from [\da-fA-F.:]+ port \d+:\d+: .*
 error: maximum authentication attempts exceeded for invalid user \w+ from [\da-fA-F.:]+ port \d+ ssh2( \[preauth\])?
+pam_unix\(sshd:auth\): check pass; user unknown
+pam_unix\(sshd:auth\): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[\da-fA-F.:]+(  user=root)?
 
 _SYSTEMD_UNIT = bind9.service
 client [\da-fA-F.:]+#\d+ \([\w.-]+\): (zone transfer '[\w.-]+/AXFR/IN' denied|message parsing failed: (bad compression pointer|bad label type))
index c9a5375..74e8f68 100644 (file)
@@ -8,8 +8,8 @@
 - name: create journalwatch config dir
   file: path=/root/.config/journalwatch state=directory
 - name: install journalwatch config files
-  template:
-    src: templates/{{item}}
+  copy:
+    src: files/{{item}}
     dest: /root/.config/journalwatch/{{item}}
   loop:
   - config