: Advanced Color Logs configuration file : Colors -- black, red, green, yellow, blue, magenta, cyan, white, default : Attributes -- , bright, blinking, underlined, normal, : background, beep, hide : : Format for this file is : [ATTRIBUTE(S)]COLOR,primary_match[,secondary_match,...] : : attributes can be any ordering of the above attributes. This field is not : case sensitive; only one color may be used. : primary_match must be a positive match (must be in line) : secondary_match(es) can be positive or negative (must NOT be in line) : negative matches are specified by NOT ('!') : : EXAMPLE - : Display red background text when there someone other than "nobody" opens : an su session. Note the log entry has (su) so we want to match to : "(su)" to avoid matches to "superchicken" or anything else with "su". : : BackgroundRed,(su),opened,!nobody : : Matches are done linearly. First match is the color used. Because of this, : list matches as most specific to most general. Simple rule of thumb is to : list matches in order of most number of conditionals to least number of : conditionals. : : : Patrick Mullen : p_mullen@linuxmail.org : :option, wake OPTION, syslog HOST, fw, BrightRed HOST, fs, BrightGreen HOST, ws, BrightYellow :TIMESTAMP, BackgroundBrightMagenta Service, kernel, BrightWhite Service, modprobe, BrightWhite Service, mail, BrightBlue : So we get sendmail and qmail. Service, identd, normal Service, ftpd, BrightGreen : Note this also does tftpd Service, named, BrightCyan Service, PAM_unix, BrightYellow Service, login, BrightYellow Service, telnetd, Yellow Service, snort, BrightRed Service, su, BrightMagenta Hide,oidentd Hide,-- MARK -- : High alert stuff WakeBeepBlinkingBackgroundBrightRed,refused connect WakeBeepBlinkingBackgroundBrightYellow,romiscuous mode : snort http://www.clark.net/~roesch/security.html BrightRed,snort,spp_portscan BrightRed,snort,Traceroute Hide,snort,VIOLATION Hide,snort,RETRANSMISSION BrightRed,snort Hide,/USR/SBIN/CRON Hide,rpc.statd,SM_UNMON Hide,last message Hide,kernel,usb-uhci : More alert stuff we want to highlight BackgroundBrightYellow,Authentication failure BackgroundBrightYellow,FAILED LOGIN : telnetd BackgroundBrightYellow,failed login : ftpd BeepBlinkingBackgroundBrightYellow,repeated login failures : ftpd : Further down the chain are these messages we don't want to miss. : If you have a high-traffic site, "background"ing these will probably : be annoying. BackgroundGreen, FTP LOGIN :BackgroundYellow,LOGIN BackgroundYellow,adduser BackgroundYellow,userdel BackgroundYellow,connect from : Kernel messages generally come in bursts (bootup), but when they : appear alone it's often cause for concern. Lumping kernel-associated : messages in with this group. :BackgroundWhite,kernel :BackgroundWhite,modprobe : PAM_unix stuff Hide,su,for user nobody : Ignore `su nobody` Hide,PAM_unix,(cron) BrightMagenta,su BrightGreen,PAM_unix,opened BrightGreen,PAM_unix,(su) BrightGreen,PAM_unix,closed BrightGreen,PAM_unix : Everything else - passwd changes, : auth failures, unforeseen things : Named. The inspiration for this program. Ignore status messages. : These rules are ordered so expected "abnormality" messages such : as "LAME SERVER" are given standard foreground colorizing, any : messages which are not one of these "abnormality" messages and : are not a "status" message is given background colorizing so we : notice them easily, then status messages are ignored. Cyan,named,Lame server Cyan,named,!STATS,!Cleaned cache,!USAGE Hide,named : ftp. Not sure what to highlight here. Failed logins are done at the top, : so just colourize ftp messages normally for now. Green,ftpd