summaryrefslogtreecommitdiffstats
path: root/resources/share/logray
diff options
context:
space:
mode:
Diffstat (limited to 'resources/share/logray')
-rw-r--r--resources/share/logray/colorfilters14
-rw-r--r--resources/share/logray/dfilter_buttons26
-rw-r--r--resources/share/logray/profiles/CloudTrail/colorfilters4
-rw-r--r--resources/share/logray/profiles/CloudTrail/preferences18
-rw-r--r--resources/share/logray/profiles/dfilter_buttons3
5 files changed, 58 insertions, 7 deletions
diff --git a/resources/share/logray/colorfilters b/resources/share/logray/colorfilters
index a3c9785f..f2524a9b 100644
--- a/resources/share/logray/colorfilters
+++ b/resources/share/logray/colorfilters
@@ -1,4 +1,12 @@
# This file was created by Logray. Edit with care.
-@Errors@ct.error@[4626,10023,11822][63479,34695,34695]
-@State Modifying Event@ct.readonly == "false"@[61423,50372,39578][0,0,0]
-@Administrative Activity@cloudtrail and not (ct.name ~ "^Describe.*" or ct.name ~ "^List.*" or ct.name ~ "^(Batch|)Get.*")@[61423,50372,39578][0,0,0]
+@Failed Syscall@(evt.failed == True) && !(evt.res == "EAGAIN") && !(evt.res == "EALREADY")@[56797,28270,24158][0,0,0]
+@Falco Notifications@sysdig.event_name == "notification"@[0,0,0][65535,65535,65535]
+@Command Executions@evt.type == "execve"@[38807,57568,17990][0,0,0]
+@New Process Creations@evt.type=="clone" || evt.type=="fork"@[14649,28013,14906][65535,65535,65535]
+@Socket Syscalls@evt.type == "connect" || evt.type == "accept" || evt.type == "socket" || evt.type == "bind"@[20303,26214,51143][65535,65535,65535]
+@Net Writes@(evt.is_io == True) && (evt.category == "net") && (evt.is_io_write == True)@[24672,53713,51657][0,0,0]
+@Net Reads@(evt.is_io == True) && (evt.category == "net")@[29812,64764,62451][0,0,0]
+@File Opens@evt.type == "open" || evt.type == "openat" || evt.type == "openat2"@[31611,24415,13621][65535,65535,65535]
+@File Writes@(evt.is_io == True) && (evt.category == "file") && (evt.is_io_write == True)@[60138,48059,37522][0,0,0]
+@File Reads@(evt.is_io == True) && (evt.category == "file")@[61423,53970,40349][0,0,0]
+@FD Closes@evt.type == "close"@[27499,27499,27499][65535,65535,65535]
diff --git a/resources/share/logray/dfilter_buttons b/resources/share/logray/dfilter_buttons
index 57b024b5..7ad8ba3b 100644
--- a/resources/share/logray/dfilter_buttons
+++ b/resources/share/logray/dfilter_buttons
@@ -1,5 +1,23 @@
# This file is automatically generated, DO NOT MODIFY.
-"TRUE","S3","ct.shortsrc == \x22s3\x22","S3 events"
-"TRUE","EC2","ct.shortsrc == \x22ec2\x22","EC2 events"
-"TRUE","S3 PutObject","ct.name == \x22PutObject\x22",""
-"TRUE","Writes","ct.readonly == \x22false\x22",""
+"TRUE","Cmd // Interactive Command Executions","evt.type == \x22execve\x22 and evt.dir == \x22<\x22 and (proc.pname == \x22bash\x22 or proc.pname == \x22zsh\x22 or proc.pname == \x22tcsh\x22 or proc.pname == \x22ksh\x22 or proc.pname == \x22fish\x22)","List the command executions (eceve system call)"
+"TRUE","Cmd // All Command Executions","evt.type == \x22execve\x22","List the command executions (eceve system call)"
+"TRUE","File // All File Activity","evt.category == \x22file\x22","Display activity on files"
+"TRUE","File // Opens","evt.type == \x22open\x22 || evt.type == \x22openat\x22 || evt.type == \x22openat2\x22","Display file open events (open, openat...)"
+"TRUE","File // Reads/Writes","evt.category==\x22file\x22 && evt.is_io == True",""
+"TRUE","File // Writes","evt.category==\x22file\x22 && evt.is_io == True && evt.is_io_write == True",""
+"FALSE","File // Opens W","(evt.type == \x22open\x22 || evt.type == \x22openat\x22 || evt.type == \x22openat2\x22) && (evt.is_open_write == True)","Display file open events (open, openat...) where the file has been open with \x22write\x22 flags"
+"TRUE","File // File Deletions","(evt.type == \x22unlink\x22 || evt.type == \x22unlinkat\x22 || evt.type == \x22rmdir\x22) && evt.dir == \x22<\x22",""
+"TRUE","File // Symlink Creation","(evt.type == \x22symlink\x22 || evt.type == \x22symlinkat\x22) && evt.dir == \x22<\x22",""
+"TRUE","Network // All Network Activity","evt.category==\x22net\x22","Display activity on the network"
+"TRUE","Network // Reads/Writes","evt.category==\x22net\x22 && evt.is_io == True",""
+"TRUE","Network // Outbound Connection Requests","evt.type == \x22connect\x22","Show the client-side network connection attempts"
+"TRUE","Network // Inbound Connection Requests","evt.type == \x22accept\x22","Show the server-side network connection reception"
+"TRUE","Network // Port Opens","evt.type == \x22bind\x22","Show the server-side network connection reception"
+"FALSE","I/O","evt.is_io == True","Show all IO system calls (read/write/sendto...)"
+"FALSE","I/O W","(evt.is_io == True) && (evt.is_io_write == True)","Show all of the I/O system calls that write content on file descriptors (write, sendto...)"
+"TRUE","Misc // Falco Events","sysdig.event_name == \x22notification\x22","This finds the Falco notifications that have been embedded into captures. It allows to quickly go to the place where something happened"
+"TRUE","Misc // Process/Thread Creation","evt.type == \x22clone\x22 || evt.type == \x22clone3\x22 || evt.type == \x22fork\x22 || evt.type == \x22vfork\x22","Selects that system calls that failed"
+"TRUE","Misc // Failed System Calls","(evt.failed == True) && !(evt.res == \x22EAGAIN\x22) && !(evt.res == \x22EALREADY\x22)","Selects that system calls that failed"
+"TRUE","Misc // Writes to Log Files","evt.is_io_write == True && evt.dir == \x22<\x22 && (fd.name contains \x22/var/log\x22 || fd.name contains \x22.log\x22 || fd.name contains \x22_log\x22)","Selects that system calls that failed"
+"TRUE","Misc // Writes to System Files","evt.is_io_write == True && evt.dir == \x22<\x22 && (fd.name matches \x22^/bin/\x22 || fd.name matches \x22^/sbin/\x22 || fd.name matches \x22^/boot/\x22 || fd.name matches \x22^/etc/\x22 || fd.name matches \x22^/lib/\x22 || fd.name matches \x22^/usr/bin/\x22 || fd.name matches \x22^/usr/sbin/\x22 || fd.name matches \x22^/usr/share/\x22 || fd.name matches \x22^/usr/lib\x22)","Selects that system calls that failed"
+"TRUE","Misc // Kernel Modules Loading","evt.type==init_module || evt.type==finit_module","Selects that system calls that failed"
diff --git a/resources/share/logray/profiles/CloudTrail/colorfilters b/resources/share/logray/profiles/CloudTrail/colorfilters
new file mode 100644
index 00000000..cdd1d217
--- /dev/null
+++ b/resources/share/logray/profiles/CloudTrail/colorfilters
@@ -0,0 +1,4 @@
+# This file was created by Logray. Edit with care.
+@Errors@ct.error@[4626,10023,11822][63479,34695,34695]
+@State Modifying Event@ct.readonly == "false"@[61423,50372,39578][0,0,0]
+@Administrative Activity@falcobridge.id == 2 and not (ct.name ~ "^Describe.*" or ct.name ~ "^List.*" or ct.name ~ "^(Batch|)Get.*")@[61423,50372,39578][0,0,0]
diff --git a/resources/share/logray/profiles/CloudTrail/preferences b/resources/share/logray/profiles/CloudTrail/preferences
new file mode 100644
index 00000000..464f0424
--- /dev/null
+++ b/resources/share/logray/profiles/CloudTrail/preferences
@@ -0,0 +1,18 @@
+# Configuration file for Logray
+#
+# Packet list column format
+# Each pair of strings consists of a column title and its format
+gui.column.format:
+ "No.", "%m",
+ "Time", "%t",
+ "Source", "%s",
+ "Destination", "%d",
+ "Length", "%L",
+ "Service", "%Cus:ct.shortsrc:0:R",
+ "Region", "%Cus:ct.region:0:R",
+ "Bucket/Instance", "%Cus:s3.bucket || ec2.name:0:R",
+ "User Name", "%Cus:ct.user:0:R",
+ "Event Name", "%Cus:ct.name:0:R",
+ "User IP", "%Cus:ct.srcip:0:R",
+ "Info", "%i"
+
diff --git a/resources/share/logray/profiles/dfilter_buttons b/resources/share/logray/profiles/dfilter_buttons
new file mode 100644
index 00000000..d94b2178
--- /dev/null
+++ b/resources/share/logray/profiles/dfilter_buttons
@@ -0,0 +1,3 @@
+# This file is automatically generated, DO NOT MODIFY.
+"TRUE","Errors","ct.error",""
+"TRUE","Modify Events","ct.readonly == false",""