msheiny/riemann.config

## riemann.config
; Listen only on 5555 for TCP logs. Riemann docs strongly suggest forcing TCP over UDP.
; `ws-server` will need to be explicitly enabled if using riemann-dash.
(let [host "0.0.0.0"]
  (tcp-server {:host host :port 5555}))
; Disable internal event production
(instrumentation {:enabled? false})

(logging/init {:file "/var/log/riemann/riemann.log"})

; Expire old events from the index every 5 seconds.
(periodically-expire 5)

; Import custom functions, e.g. for Slack alerts
(include "myconfigs/")
(require '[myconfigs.ssh :as s])


(let [index (index)]
  ; Inbound events will be passed to these streams:
  (streams
    (default :ttl 60
      ; Index all events immediately
      index
      s/ogstream
    )
  )
)

## ssh.clj
(ns myconfigs.ssh
     "SSH filtering and ratelimiting operations"
     (:require [riemann.config :refer :all]
               [riemann.streams :refer :all]
               [riemann.test :refer :all]
               ))

(defn pubkeycheck
      [pubkey]
      (some #(= pubkey %)
           '("ac:eb:3d")))


(def sshtrim
          (by :username
              (tag "before")
              (when-not (pubkeycheck :rsa_pub)
                (by :host
                  (rollup 1 2800
                      (io ((email  "sysadmin@example.com")))
                      ;(delete-from-index)
                            )))
                  (tag "sendout")
          )
)

(def ogstream
      (sdo
        (tag "ohboy")
        (tap :sshalert )
        (where (and (tagged "ssh")
                (tagged "slack_alert"))
                ;(sshtrim index)
        )
      )
)


(tests
  (deftest ssh-test
    (let [result (inject! [myconfigs.ssh/ogstream]
                      [{:host "ssh_server"
                        :tags '("ssh" "slack_alert")
                        :rsa_pub "ac:eb:3d"
                        :username "manuel"}])]
      (is (= (:sshalert result) [{}]))
    )
  )
)
	; Listen only on 5555 for TCP logs. Riemann docs strongly suggest forcing TCP over UDP.
	; `ws-server` will need to be explicitly enabled if using riemann-dash.
	(let [host "0.0.0.0"]
	(tcp-server {:host host :port 5555}))
	; Disable internal event production
	(instrumentation {:enabled? false})

	(logging/init {:file "/var/log/riemann/riemann.log"})

	; Expire old events from the index every 5 seconds.
	(periodically-expire 5)

	; Import custom functions, e.g. for Slack alerts
	(include "myconfigs/")
	(require '[myconfigs.ssh :as s])


	(let [index (index)]
	; Inbound events will be passed to these streams:
	(streams
	(default :ttl 60
	; Index all events immediately
	index
	s/ogstream
	)
	)
	)
	(ns myconfigs.ssh
	"SSH filtering and ratelimiting operations"
	(:require [riemann.config :refer :all]
	[riemann.streams :refer :all]
	[riemann.test :refer :all]
	))

	(defn pubkeycheck
	[pubkey]
	(some #(= pubkey %)
	'("ac:eb:3d")))


	(def sshtrim
	(by :username
	(tag "before")
	(when-not (pubkeycheck :rsa_pub)
	(by :host
	(rollup 1 2800
	(io ((email "sysadmin@example.com")))
	;(delete-from-index)
	)))
	(tag "sendout")
	)
	)

	(def ogstream
	(sdo
	(tag "ohboy")
	(tap :sshalert )
	(where (and (tagged "ssh")
	(tagged "slack_alert"))
	;(sshtrim index)
	)
	)
	)


	(tests
	(deftest ssh-test
	(let [result (inject! [myconfigs.ssh/ogstream]
	[{:host "ssh_server"
	:tags '("ssh" "slack_alert")
	:rsa_pub "ac:eb:3d"
	:username "manuel"}])]
	(is (= (:sshalert result) [{}]))
	)
	)
	)