fido.conf - Man Page
Synopsis
fido.conf
The default file /etc/fido/fido.conf You can override the default file with the FIDORC ENV variable or the -f /path/file command line option.
Description
fido.conf is the configuration file for fido
. The file consists of two parts, GLOBAL settings and FILE settings. GLOBAL settings are best defined at the top of the file in key = value format. FILE settings are distinguished with a filename followed by brackets {}. Key = value pairs inside the brackets apply only to that file. If a value isn't set at the FILE level, then fido
applies a GLOBAL setting. Here's an example:
# GLOBAL SETTINGS log = syslog pid = /var/run/fido.pid
# FILE SETTINGS /var/log/messages { log = /var/log/fido.log }
In this example, we've set 'log' twice. Once at the GLOBAL level and once at the FILE level. The FILE level takes precedent. In this case all logged activity for /var/log/messages monitoring will go to /var/log/fido.log If we log activity for other files that don't have a 'log' specified, then it will go to syslog.
Here is a list of available settings:
log
Use this setting to direct logging output. Its values can be either 'syslog' or '/path/to/file' This option is available at both the GLOBAL and FILE levels.
log = syslog log = /var/log/fido.log
pid
Use this setting to assign a file to hold fido
's process ID (pid). This option is available only at the GLOBAL level. The default setting is /var/run/fido.pid
pid = /home/jeff/var/fido.pid
daemon
Use this option to run fido
in the background as a daemon. By default, fido
will run as a daemon. This setting is available only at the global level. It takes one of two values, true or false. It runs in the foreground when the setting is 'false'
rulesdir
fido monitors a log file and searches for pattern matches. These patterns are regular expressions that can be stored in a rules file. This directive tells fido
where to look for its rules. By default, it will look in /etc/fido/rules You can override the default with this setting. This option is available ONLY at the GLOBAL level.
rulesdir = /usr/local/etc/fido/rules
rules
This is a FILES level directive that tells fido
where to find its pattern matches. It can take one of three different values, a regex, the 'modified' directive or a file name. If the value is a regex, then fido
will use that rule as it parses the file it's watching. If the value is the 'modified' directive, then it will trigger an alert each time the file is modified. If the value is a file name, then it will read $rulesdir
/$rules for all it's patterns. The benefit of using a file is that you can set many patterns, one on each line. fido
will try each line as it looks for a match.
rules = modified rules = .*OutOfMemory.* rules = exceeds N seconds⎪minutes⎪hours⎪days rules = haha.conf
In the first example, fido
will trigger an action if the modification date of the file it's monitoring is changed. In the second example, it will tail the file it's monitoring and trigger an action each time it matches the '.*OutOfMemory.*' pattern. In the third example, it will triggern an action if the file's timestamp exceeds a designated time. If the file we're monitoring is a directory, then an alert will be triggered if any file in that directory exceeds the designated time. In the final example, it will trigger an action each time it matches a pattern inside $rulesdir
/haha.conf
Beginning with version 1.1.4, you can use parentheses to capture text and assign to variables $1
, $2
, etc. This is useful if you'd like to send matched text to your program, for example:
/var/log/httpd/joedog-access_log { rules = ^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*GoogleBot action = /home/jeff/bin/googler $1 }
In the file block above, the IP address is captured within parentheses and passed to the action as variable $1
action
This is a FILES level directive that tells fido
what to do in the event of a pattern match. Generally, you'll want to specify a script although you can specify a program with parameters:
action = echo "action alert!!!!" ⎪ /usr/sbin/sendmail -v jeff@joedog.org action = /home/jeff/bin/haha action = /usr/local/bin/myscript $1 $2
Beginning with version 1.1.4, fido supports regex back references. Any text you capture with a regex match within a set of parentheses can be sent to the action program in $1 $2 $3
etc.
throttle
This is a FILES level directive which tells fido
to delay place a delay between actions. This is useful to avoid flooding inboxes with emails or node managers with SMTP traps. The trottle format is 'throttle = N denomination' where 'N' is a number and 'denomination' is either 'seconds', 'minutes', 'hours' or 'days'.
throttle = 15 minutes throttle = 1 hour throttle = 1 day(s)
exclude
This is a FILES level directive that only works when you monitor directories with the exceeds directive. The format is 'exclude = [pattern]' where pattern is a regular expression. Consider this:
/export {
rule = exceeds 7 days
exclude = ^\.⎪CVS⎪Makefile }
Given this file block, fido
will execute an action if any file inside the directory /export is older than 7 days but does NOT start with '.' nor is it named CVS or Makefile.
recurse
This is a FILES level directive that that only works when you monitor directories. If recurse is true, then fido will search all subdirectories below the path. If recurse is false then fido will only examine files inside the top-level directory.
/export {
rule = exceeds 1 month
recurse = true }
capture
This is a FILES level directive that tells fido
to log the output from the action directive mentioned above. If you're running sendmail -v, then it will log all that verbose output to its selected logging method. Good for debugging it takes one of two values, 'true' or 'false' - if false, it won't log output. The default is false
capture = true capture = false
user
This is a GLOBAL setting in which we specify which user ID fido
will run under. You'll need to select a user that has read permissions to the file it's monitoring and write permissions to the directory in which it's logging. It is preferred that you select the least privileged user possible.
user = jboss
group
This is a GLOBAL setting in which we specify with group ID fido
will run under. Like 'user' we recommend you select the least privileged group possible
group = jboss
Sample File
# # Global values # log = syslog pid = /var/run/fido.pid daemon = true rulesdir = /etc/fido/rules user = root group = daemon
/var/log/httpd/access_log { rules = .*siege-.*tar.gz.* action = /usr/bin/tally log = /var/log/fido.log }
/var/log/maillog { rules = maillog.conf action = /usr/bin/react }
/var/log/haha.log { rules = ^haha.* action = echo "alert!!!!" ⎪ /usr/sbin/sendmail -v jeff@joedog.org capture = true }