fido.conf - Man Page

Synopsis

fido.conf

The default file /etc/fido/fido.conf You can override  the default file with the FIDORC ENV variable or the -f /path/file  command line option.

Description

fido.conf is the configuration file for fido. The file consists of two parts, GLOBAL settings and FILE settings. GLOBAL settings are best  defined at the top of the file in key = value format. FILE settings are  distinguished with a filename followed by brackets {}. Key = value pairs  inside the brackets apply only to that file. If a value isn't set at the  FILE level, then fido applies a GLOBAL setting. Here's an example:

  # GLOBAL SETTINGS
  log   = syslog
  pid   = /var/run/fido.pid
  # FILE SETTINGS
  /var/log/messages {
    log = /var/log/fido.log
  }

In this example, we've set 'log' twice. Once at the GLOBAL level and once at the FILE level. The FILE level takes precedent. In this case all logged activity for /var/log/messages monitoring will go to /var/log/fido.log If  we log activity for other files that don't have a 'log' specified, then it  will go to syslog.

Here is a list of available settings:

log

Use this setting to direct logging output. Its values can be either 'syslog'  or '/path/to/file' This option is available at both the GLOBAL and FILE levels.

  log = syslog
  log = /var/log/fido.log

pid

Use this setting to assign a file to hold fido's process ID (pid). This option is available only at the GLOBAL level. The default setting is  /var/run/fido.pid

  pid = /home/jeff/var/fido.pid

daemon

Use this option to run fido in the background as a daemon. By default, fido will run as a daemon. This setting is available only at the global level. It takes one of two values, true or false. It runs in the foreground  when the setting is 'false'

rulesdir

fido monitors a log file and searches for pattern matches. These patterns  are regular expressions that can be stored in a rules file. This directive tells fido where to look for its rules. By default, it will look in /etc/fido/rules You can override the default with this setting. This option is available ONLY at the GLOBAL level.

  rulesdir = /usr/local/etc/fido/rules

rules

This is a FILES level directive that tells fido where to find its pattern matches. It can take one of three different values, a regex, the 'modified' directive or a file name. If the value is a regex, then fido will use that rule  as it parses the file it's watching. If the value is the 'modified' directive, then  it will trigger an alert each time the file is modified. If the value is a file name,  then it will read $rulesdir/$rules for all it's patterns. The benefit of using a file  is that you can set many patterns, one on each line. fido will try each line as  it looks for a match.

  rules = modified
  rules = .*OutOfMemory.*
  rules = exceeds N seconds⎪minutes⎪hours⎪days
  rules = haha.conf

In the first example, fido will trigger an action if the modification date of the  file it's monitoring is changed. In the second example, it will tail the file it's  monitoring and trigger an action each time it matches the '.*OutOfMemory.*' pattern. In the third example, it will triggern an action if the file's timestamp exceeds a designated time. If the file we're monitoring is a directory, then an alert will be triggered if any file in that directory exceeds the designated time. In the final example, it will trigger  an action each time it matches a pattern inside $rulesdir/haha.conf

Beginning with version 1.1.4, you can use parentheses to capture text and assign to  variables $1, $2, etc.  This is useful if you'd like to send matched text to your program,  for example:

  /var/log/httpd/joedog-access_log {
    rules  = ^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*GoogleBot
    action = /home/jeff/bin/googler $1
  }

In the file block above, the IP address is captured within parentheses and passed to the  action as variable $1

action

This is a FILES level directive that tells fido what to do in the event  of a pattern match. Generally, you'll want to specify a script although you  can specify a program with parameters:

  action = echo "action alert!!!!" ⎪ /usr/sbin/sendmail -v jeff@joedog.org
  action = /home/jeff/bin/haha
  action = /usr/local/bin/myscript $1 $2

Beginning with version 1.1.4, fido supports regex back references. Any text you  capture with a regex match within a set of parentheses can be sent to the action program in $1 $2 $3 etc.

throttle

This is a FILES level directive which tells fido to delay place a delay between actions. This is useful to avoid flooding inboxes with emails or node managers with SMTP traps. The trottle format is 'throttle = N denomination' where 'N' is a number and  'denomination' is either 'seconds', 'minutes', 'hours' or 'days'.

  throttle = 15 minutes
  throttle = 1 hour
  throttle = 1 day(s)

exclude

This is a FILES level directive that only works when you monitor directories with the exceeds directive. The format is 'exclude =  [pattern]' where pattern is a regular  expression. Consider this:

/export {
 rule    = exceeds 7 days
 exclude = ^\.⎪CVS⎪Makefile }

Given this file block, fido will execute an action if any file inside the directory /export is older than 7 days but does NOT start with '.' nor is it named CVS or Makefile.

recurse

This is a FILES level directive that that only works when you monitor directories. If recurse is true, then fido will search all subdirectories below the path. If recurse is false then fido will only examine files inside the top-level directory.

/export {
 rule    = exceeds 1 month
 recurse = true  }

capture

This is a FILES level directive that tells fido to log the output from the action directive mentioned above. If you're running sendmail -v, then it will log all that verbose output to its selected logging method. Good for debugging it takes one of two values, 'true' or 'false' - if false, it won't log output. The default  is false

  capture = true
  capture = false

user

This is a GLOBAL setting in which we specify which user ID fido will run under.  You'll need to select a user that has read permissions to the file it's monitoring  and write permissions to the directory in which it's logging. It is preferred that you select the least privileged user possible.

  user = jboss

group

This is a GLOBAL setting in which we specify with group ID fido will run under. Like 'user' we recommend you select the least privileged group possible

  group = jboss

Sample File

  #
  # Global values 
  #
  log      = syslog
  pid      = /var/run/fido.pid
  daemon   = true
  rulesdir = /etc/fido/rules
  user     = root
  group    = daemon
  /var/log/httpd/access_log {
    rules  = .*siege-.*tar.gz.*
    action = /usr/bin/tally
    log    = /var/log/fido.log
  }
  /var/log/maillog {
   rules  = maillog.conf
   action = /usr/bin/react
  }
  /var/log/haha.log {
    rules   = ^haha.*
    action  = echo "alert!!!!" ⎪ /usr/sbin/sendmail -v jeff@joedog.org
    capture = true
  }

Referenced By

fido(1).

2014-12-03 perl v5.8.8 User Contributed Perl Documentation