Log Agent
Package name: intrudect-logagent
Log Agent monitors specified log files for user-defined regular expressions. If a line's content matches a regular expression, an alert is sent to the central web UI. The monitored log files may include system logs, application logs, etc.
Configuration
The initial example (not default) configuration for Log Agent can be created in the web UI under Agents > Add new syslog agent. After saving and downloading it, store the configuration on the machine running the agent at /opt/intrudect-logagent/etc/config.json. Once in place, Log Agent will request an updated configuration from the web UI every minute.
Hostname
If the hostname is not specified, the machine's own hostname will be used by default. If needed, this value can be overridden. For example, if the machine's name is www, it can be overwritten to www.example.com.
Logfiles
Multiple log file entries can be added to Log Agent. For each log file, the Filename must be specified to define the monitored file. The Datetime field allows you to set which portion of the log text should be excluded from the message displayed in the web UI—it is advisable to exclude the timestamp at the beginning of each line.
The Conditions value allows you to add multiple conditions. The Message and Level values allow you to set the general title of the alert and its severity level. Additionally, the RegexMatch must be specified, which defines the string to search for in regex format.
Logfiles don't have to be limited to syslog files, they can be application logfiles, debug files, webserver error files (don't try it on public server though), etc.
Example
Define alert for failed login. In Debian based systems authentication info is logged into /var/log/auth.log
Line containing pam authentication failure info: