Add epylog role to log01.

roles/epylog/files/merged/modules.d/common_unparsed.conf

@@ -0,0 +1,14 @@
+[module]
+desc = Common Unparsed Similar Strings Module
+exec = /usr/share/epylog/modules/common_unparsed_mod.py
+files = /var/log/merged/messages.log[.#.gz], /var/log/merged/secure.log[.#.gz]
+enabled = no
+internal = yes
+outhtml = yes
+priority = 10
+
+
+[conf]
+# how similar the strings need to be 0-100 - 0 being not at all (bad idea) 100 being almost exactly.
+match_percentage = 95
+debug_dump = 0

roles/epylog/files/merged/modules.d/kojiload.conf

@@ -0,0 +1,10 @@
+[module]
+desc = KojiLoad summary
+exec = /usr/share/epylog/modules/kojiload_mod.py
+files = /var/log/merged/messages.log[.#.gz]
+enabled = yes
+internal = yes
+outhtml = yes
+priority = 7
+
+[conf]

roles/epylog/files/merged/modules.d/logins.conf

@@ -0,0 +1,50 @@
+[module]
+desc = Logins
+exec = /usr/share/epylog/modules/logins_mod.py
+files = /var/log/merged/messages.log[.#.gz], /var/log/merged/secure.log[.#.gz]
+enabled = yes
+internal = yes
+outhtml = yes
+priority = 0
+
+[conf]
+##
+# Only enable things useful for your configuration to speed things
+# up. The more stuff you enable, the slower matching will be.
+#
+enable_pam = 1
+enable_xinetd = 1
+enable_sshd = 1
+enable_uw_imap = 0
+enable_dovecot = 0
+enable_courier = 0
+enable_imp = 0
+enable_proftpd = 0
+##
+# This is a fun setting. You can list domains that are "safe" here.
+# E.g. if your org's domain is example.com and you generally don't 
+# expect logins from hosts in example.com domain to be suspicious, you
+# can add "example.com$" as a safe domain. This way anyone logging in from
+# a remote host not matching *.example.com will be flagged in red and the
+# full hostname of the connecting machine will be printed in the report.
+# List multiple values separated by comma.
+# E.g.: safe_domains = example.com$, foo.edu$
+# The default is .*, meaning all domains are considered safe. To turn
+# this off specify something like:
+# safe_domains = !.*
+safe_domains = .*
+##
+# If you have too many systems, wide-scale probing may turn ugly. This
+# will collapse the reports.
+systems_collapse = 10
+
+
+# comma/space separated list of users to ignore - unknown is the internal "no user given"
+ignore_users = unknown 
+# path to where we keep the logins db
+loginsdb_path = /var/lib/epylog/logins_db.sqlite
+# clean up entries in the db which are more than this many days old
+remove_older_than = 14
+# time fuzz - default time (in minutes) which is valid fuzzy match for a login to not be listed
+time_fuzz = 60
+

roles/epylog/files/merged/modules.d/mail.conf

@@ -0,0 +1,20 @@
+[module]
+desc = Mail Report
+exec = /usr/share/epylog/modules/mail_mod.py
+files = /var/log/merged/mail.log[.#.gz]
+enabled = no
+internal = yes
+outhtml = yes
+priority = 5
+
+[conf]
+##
+# Enable sendmail, postfix, or both
+#
+enable_sendmail = 1
+enable_postfix = 1
+enable_qmail = 0
+##
+# Report at most this many "top things"
+#
+top_report_limit = 5

roles/epylog/files/merged/modules.d/notices.conf

@@ -0,0 +1,26 @@
+[module]
+desc = Notices
+exec = /usr/share/epylog/modules/notices_mod.py
+files = /var/log/merged/messages.log[.#.gz], /var/log/merged/secure.log[.#.gz]
+enabled = yes
+internal = yes
+outhtml = yes
+priority = 7
+
+[conf]
+##
+# Where is your notice_dist.xml file?
+#
+notice_dist = /etc/epylog/merged/notice_dist.xml
+##
+# Add your own notices into notice_local.xml, not into notice_dist.xml!
+# This way you don't risk missing future revisions to notice_dist.xml
+#
+notice_local = /etc/epylog/merged/notice_local.xml
+##
+# You can list the ids of <notice> members from notice_dist.xml here 
+# namely, or you can use ALL to enable all of them. There is no need
+# to add members from notice_local.xml here -- they will be enabled
+# automatically.
+#
+enable = ALL

roles/epylog/files/merged/modules.d/packets.conf

@@ -0,0 +1,33 @@
+[module]
+desc = Packet Filter
+exec = /usr/share/epylog/modules/packets_mod.py
+files = /var/log/merged/messages.log[.#.gz]
+enabled = yes
+internal = yes
+outhtml = yes
+priority = 1
+
+[conf]
+##
+# Where to look for the trojans list.
+#
+trojan_list = /etc/epylog/merged/trojans.list
+##
+# If a remote host hits this many systems, then don't list them namely,
+# but collapse them into a nice report, e.g.: [50 hosts]
+#
+systems_collapse = 5
+##
+# Useful for massive portscans. Don't list all the ports namely, but
+# present them in a collapsed view. E.g.: [50 ports]
+ports_collapse = 5
+##
+# Enable iptables, ipchains, ipfilter, or all three.
+#
+enable_iptables = 1
+enable_ipchains = 1
+enable_ipfilter = 0
+##
+# Sort by any of the following: packets, source, system, port
+#
+sortby=port

roles/epylog/files/merged/modules.d/rsyncd.conf

@@ -0,0 +1,16 @@
+[module]
+desc = Rsyncd
+exec = /usr/share/epylog/modules/rsyncd_mod.py
+files = /var/log/merged/messages.log[.#.gz]
+enabled = yes
+internal = yes
+outhtml = yes
+priority = 7
+
+[conf]
+##
+# Report this many "top ranking hosts"
+#
+report_top = 10
+ignore_hosts = log02.vpn.fedoraproject.org log02.phx2.fedoraproject.org proxy3.vpn.fedoraproject.org proxy04.vpn.fedoraproject.org proxy6.vpn.fedoraproject.org  proxy01.phx2.fedoraproject.org proxy07.vpn.fedoraproject.org proxy02.vpn.fedoraproject.org proxy03.vpn.fedoraproject.org proxy06.vpn.fedoraproject.org collab04.fedoraproject.org hosted04.fedoraproject.org admin.fedoraproject.org proxy01.stg.phx2.fedoraproject.org proxy08.vpn.fedoraproject.org proxy09.vpn.fedoraproject.org
+

roles/epylog/files/merged/modules.d/selinux.conf

@@ -0,0 +1,11 @@
+[module]
+desc = SELinux Report
+exec = /usr/share/epylog/modules/selinux_mod.py
+files = /var/log/merged/messages.log[.#.gz]
+enabled = yes
+internal = yes
+outhtml = yes
+priority = 5
+
+[conf]
+enable_selinux = 1

roles/epylog/files/merged/modules.d/spamd.conf

@@ -0,0 +1,28 @@
+[module]
+desc = Spamassassin
+exec = /usr/share/epylog/modules/spamd_mod.py
+files = /var/log/merged/mail.log[.#.gz]
+enabled = no
+internal = yes
+outhtml = yes
+priority = 7
+
+[conf]
+##
+# Report this many "top ranking users"
+#
+report_top = 10
+##
+# Consider this the spam threshold when reporting the scores.
+# Anything above this will be flagged as spam. The last column shows
+# the score and then non-spam/spam in the parenthesis. E.g.:
+# -1.3 (10/3) -- the mean score is -1.3, 10 messages under spam_threshold,
+#                and 3 messages over it.
+#
+spam_threshold = 5
+##
+# Rank the top users according to this parameter. Valid entries are:
+# "most spammed" -- sorts by users with the topmost score
+# "most messages" -- sorts by users who received most messages
+#
+sort_by = most spammed

roles/epylog/files/merged/modules.d/sudo.conf

@@ -0,0 +1,11 @@
+[module]
+desc = Sudo Report
+exec = /usr/share/epylog/modules/sudo_mod.py
+files = /var/log/merged/secure.log[.#.gz]
+enabled = yes
+internal = yes
+outhtml = yes
+priority = 5
+
+[conf]
+enable_sudo = 1

roles/epylog/files/merged/modules.d/weeder.conf

@@ -0,0 +1,30 @@
+[module]
+desc = Weedeater
+exec = /usr/share/epylog/modules/weeder_mod.py
+files = /var/log/merged/messages.log[.#.gz], /var/log/merged/secure.log[.#.gz]
+enabled = yes
+internal = yes
+outhtml = yes
+priority = 9
+
+[conf]
+##
+# Where to look for a weed_dist.cf file.
+#
+weed_dist = /etc/epylog/merged/weed_dist.cf
+##
+# Where to look for a weed_local.cf file
+#
+weed_local = /etc/epylog/merged/weed_local.cf
+##
+# This is where it gets interesting.
+# If you look into weed_dist.cf, you will notice that the entries
+# are listed by section titles. List here only the sections that are
+# relevant to your setup to speed things up. The more sections you
+# enable, the slower matching will go, as it has to try more
+# regexes. Note that [ADD] and [REMOVE] sections in weed_local are
+# special, any other sections in that file will be ignored.
+#
+# You can use 'ALL' to enable all sections.
+#
+enable = ALL