summaryrefslogtreecommitdiff
path: root/docs/configuration/service
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/service')
-rw-r--r--docs/configuration/service/broadcast-relay.rst5
-rw-r--r--docs/configuration/service/conntrack-sync.rst4
-rw-r--r--docs/configuration/service/eventhandler.rst127
-rw-r--r--docs/configuration/service/https.rst6
-rw-r--r--docs/configuration/service/index.rst1
-rw-r--r--docs/configuration/service/monitoring.rst107
-rw-r--r--docs/configuration/service/ssh.rst30
7 files changed, 276 insertions, 4 deletions
diff --git a/docs/configuration/service/broadcast-relay.rst b/docs/configuration/service/broadcast-relay.rst
index df48bfd6..b6e2bed7 100644
--- a/docs/configuration/service/broadcast-relay.rst
+++ b/docs/configuration/service/broadcast-relay.rst
@@ -28,6 +28,11 @@ Configuration
want to receive/relay packets on both `eth1` and `eth2` both interfaces need
to be added.
+.. cfgcmd:: set service broadcast-relay id <n> address <ipv4-address>
+
+ Set the source IP of forwarded packets, otherwise original senders address
+ is used.
+
.. cfgcmd:: set service broadcast-relay id <n> port <port>
The UDP port number used by your apllication. It is mandatory for this kind
diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst
index a7cd7060..1b72f8eb 100644
--- a/docs/configuration/service/conntrack-sync.rst
+++ b/docs/configuration/service/conntrack-sync.rst
@@ -114,11 +114,11 @@ Operation
conntrack is not enabled. To enable conntrack, just create a NAT or a firewall
rule. :cfgcmd:`set firewall state-policy established action accept`
-.. opcmd:: show conntrack-sync external-cache
+.. opcmd:: show conntrack-sync cache external
Show connection syncing external cache entries
-.. opcmd:: show conntrack-sync internal-cache
+.. opcmd:: show conntrack-sync cache internal
Show connection syncing internal cache entries
diff --git a/docs/configuration/service/eventhandler.rst b/docs/configuration/service/eventhandler.rst
new file mode 100644
index 00000000..15f08239
--- /dev/null
+++ b/docs/configuration/service/eventhandler.rst
@@ -0,0 +1,127 @@
+.. _event-handler:
+
+#############
+Event Handler
+#############
+
+*********************************
+Event Handler Technology Overview
+*********************************
+
+Event handler allows you to execute scripts when a string that matches a regex or a regex with
+a service name appears in journald logs. You can pass variables, arguments, and a full matching string to the script.
+
+
+******************************
+How to configure Event Handler
+******************************
+
+ `1. Create an event handler`_
+
+ `2. Add regex to the script`_
+
+ `3. Add a full path to the script`_
+
+ `4. Add optional parameters`_
+
+*********************************
+Event Handler Configuration Steps
+*********************************
+
+1. Create an event handler
+==========================
+
+ .. cfgcmd:: set service event-handler event <event-handler name>
+
+ This is an optional command because the event handler will be automatically created after any of the next commands.
+
+
+2. Add regex to the script
+===========================================
+
+ .. cfgcmd:: set service event-handler event <event-handler name> filter pattern <regex>
+
+ This is a mandatory command. Sets regular expression to match against log string message.
+
+ .. note:: The regular expression matches if and only if the entire string matches the pattern.
+
+
+
+3. Add a full path to the script
+================================
+
+ .. cfgcmd:: set service event-handler event <event-handler name> script path <path to script>
+
+ This is a mandatory command. Sets the full path to the script. The script file must be executable.
+
+
+
+4. Add optional parameters
+==========================
+
+ .. cfgcmd:: set service event-handler event <event-handler name> filter syslog-identifier <sylogid name>
+
+ This is an optional command. Filters log messages by syslog-identifier.
+
+ .. cfgcmd:: set service event-handler event <event-handler name> script environment <env name> value <env value>
+
+ This is an optional command. Adds environment and its value to the script. Use separate commands for each environment.
+
+ One implicit environment exists.
+
+ * ``message``: Full message that has triggered the script.
+
+ .. cfgcmd:: set service event-handler event <event-handler name> script arguments <arguments>
+
+ This is an optional command. Adds arguments to the script. Arguments must be separated by spaces.
+
+ .. note:: We don't recomend to use arguments. Using environments is more preffereble.
+
+
+*******
+Example
+*******
+
+ Event handler that monitors the state of interface eth0.
+
+ .. code-block:: none
+
+ set service event-handler event INTERFACE_STATE_DOWN filter pattern '.*eth0.*,RUNNING,.*->.*'
+ set service event-handler event INTERFACE_STATE_DOWN filter syslog-identifier 'netplugd'
+ set service event-handler event INTERFACE_STATE_DOWN script environment interface_action value 'down'
+ set service event-handler event INTERFACE_STATE_DOWN script environment interface_name value 'eth2'
+ set service event-handler event INTERFACE_STATE_DOWN script path '/config/scripts/eventhandler.py'
+
+ Event handler script
+
+ .. code-block:: none
+
+ #!/usr/bin/env python3
+ #
+ # VyOS event-handler script example
+ from os import environ
+ import subprocess
+ from sys import exit
+
+ # Perform actions according to requirements
+ def process_event() -> None:
+ # Get variables
+ message_text = environ.get('message')
+ interface_name = environ.get('interface_name')
+ interface_action = environ.get('interface_action')
+ # Print the message that triggered this script
+ print(f'Logged message: {message_text}')
+ # Prepare a command to run
+ command = f'sudo ip link set {interface_name} {interface_action}'.split()
+ # Execute a command
+ subprocess.run(command)
+
+ if __name__ == '__main__':
+ try:
+ # Run script actions and exit
+ process_event()
+ exit(0)
+ except Exception as err:
+ # Exit properly in case if something in the script goes wrong
+ print(f'Error running script: {err}')
+ exit(1)
diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst
index 22533db5..08b16575 100644
--- a/docs/configuration/service/https.rst
+++ b/docs/configuration/service/https.rst
@@ -28,6 +28,10 @@ Configuration
Set the listen port of the local API, this has no effect on the
webserver. The default is port 8080
+.. cfgcmd:: set service https api socket
+
+ Use local socket for API
+
.. cfgcmd:: set service https api strict
Enforce strict path checking
@@ -89,4 +93,4 @@ To use this full configuration we asume a public accessible hostname.
set service https virtual-host rtr01 listen-address 198.51.100.2
set service https virtual-host rtr01 listen-port 11443
set service https virtual-host rtr01 server-name rtr01.example.com
- set service https api-restrict virtual-host rtr01.example.com
+ set service https api-restrict virtual-host rtr01
diff --git a/docs/configuration/service/index.rst b/docs/configuration/service/index.rst
index 11a1a118..8607490d 100644
--- a/docs/configuration/service/index.rst
+++ b/docs/configuration/service/index.rst
@@ -25,3 +25,4 @@ Service
ssh
tftp-server
webproxy
+ eventhandler
diff --git a/docs/configuration/service/monitoring.rst b/docs/configuration/service/monitoring.rst
index 7396f142..755669e1 100644
--- a/docs/configuration/service/monitoring.rst
+++ b/docs/configuration/service/monitoring.rst
@@ -1,10 +1,111 @@
Monitoring
----------
-Monitoring functionality with ``telegraf`` and ``InfluxDB 2`` is provided.
+Azure-data-explorer
+===================
+Telegraf output plugin azure-data-explorer_
+
+.. cfgcmd:: set service monitoring telegraf azure-data-explorer authentication client-id <client-id>
+
+ Authentication application client-id.
+
+.. cfgcmd:: set service monitoring telegraf azure-data-explorer authentication client-secret <client-secret>
+
+ Authentication application client-secret.
+
+.. cfgcmd:: set service monitoring telegraf azure-data-explorer authentication tenant-id <tenant-id>
+
+ Authentication application tenant-id
+
+.. cfgcmd:: set service monitoring telegraf azure-data-explorer database <name>
+
+ Remote databe name.
+
+.. cfgcmd:: set service monitoring telegraf azure-data-explorer group-metrics <single-table | table-per-metric>
+
+ Type of metrics grouping when push to Azure Data Explorer. The default is
+ ``table-per-metric``.
+
+.. cfgcmd:: set service monitoring telegraf azure-data-explorer table <name>
+
+ Name of the single table Only if set group-metrics single-table.
+
+.. cfgcmd:: set service monitoring telegraf azure-data-explorer url <url>
+
+ Remote URL.
+
+Prometheus-client
+=================
+Telegraf output plugin prometheus-client_
+
+.. cfgcmd:: set service monitoring telegraf prometheus-client
+
+ Output plugin Prometheus client
+
+.. cfgcmd:: set service monitoring telegraf prometheus-client allow-from <prefix>
+
+ Networks allowed to query this server
+
+.. cfgcmd:: set service monitoring telegraf prometheus-client authentication username <username>
+
+ HTTP basic authentication username
+
+.. cfgcmd:: set service monitoring telegraf prometheus-client authentication password <password>
+
+ HTTP basic authentication username
+
+.. cfgcmd:: set service monitoring telegraf prometheus-client listen-address <address>
+
+ Local IP addresses to listen on
+
+.. cfgcmd:: set service monitoring telegraf prometheus-client metric-version <1 | 2>
+
+ Metris version, the default is ``2``
+
+.. cfgcmd:: set service monitoring telegraf prometheus-client port <port>
+
+ Port number used by connection, default is ``9273``
+
+Example:
+
+.. code-block:: none
+
+ set service monitoring telegraf prometheus-client
+
+.. code-block:: none
+
+ vyos@r14:~$ curl --silent localhost:9273/metrics | egrep -v "#" | grep cpu_usage_system
+ cpu_usage_system{cpu="cpu-total",host="r14"} 0.20040080160320556
+ cpu_usage_system{cpu="cpu0",host="r14"} 0.17182130584191915
+ cpu_usage_system{cpu="cpu1",host="r14"} 0.22896393817971655
+
+Splunk
+======
+Telegraf output plugin splunk_. HTTP Event Collector.
+
+.. cfgcmd:: set service monitoring telegraf splunk authentication insecure
+
+ Use TLS but skip host validation
+
+.. cfgcmd:: set service monitoring telegraf splunk authentication token <token>
+
+ Authorization token
+
+.. cfgcmd:: set service monitoring telegraf splunk authentication url <url>
+
+ Remote URL to Splunk collector
+
+Example:
+
+.. code-block:: none
+
+ set service monitoring telegraf splunk authentication insecure
+ set service monitoring telegraf splunk authentication token 'xxxxf5b8-xxxx-452a-xxxx-43828911xxxx'
+ set service monitoring telegraf splunk url 'https://192.0.2.10:8088/services/collector'
Telegraf
========
+Monitoring functionality with ``telegraf`` and ``InfluxDB 2`` is provided.
Telegraf is the open source server agent to help you collect metrics, events
and logs from your routers.
@@ -43,3 +144,7 @@ An example of a configuration that sends ``telegraf`` metrics to remote
set service monitoring telegraf port '8086'
set service monitoring telegraf source 'all'
set service monitoring telegraf url 'http://r1.influxdb2.local'
+
+.. _azure-data-explorer: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/azure_data_explorer
+.. _prometheus-client: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/prometheus_client
+.. _splunk: https://www.splunk.com/en_us/blog/it/splunk-metrics-via-telegraf.html \ No newline at end of file
diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst
index ad410a3c..baf17035 100644
--- a/docs/configuration/service/ssh.rst
+++ b/docs/configuration/service/ssh.rst
@@ -109,6 +109,36 @@ Configuration
Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance.
+Dynamic-protection
+==================
+Protects host from brute-force attacks against
+SSH. Log messages are parsed, line-by-line, for recognized patterns. If an
+attack, such as several login failures within a few seconds, is detected, the
+offending IP is blocked. Offenders are unblocked after a set interval.
+
+.. cfgcmd:: set service ssh dynamic-protection
+
+ Allow ``ssh`` dynamic-protection.
+
+.. cfgcmd:: set service ssh dynamic-protection allow-from <address | prefix>
+
+ Whitelist of addresses and networks. Always allow inbound connections from
+ these systems.
+
+.. cfgcmd:: set service ssh dynamic-protection block-time <sec>
+
+ Block source IP in seconds. Subsequent blocks increase by a factor of 1.5
+ The default is 120.
+
+.. cfgcmd:: set service ssh dynamic-protection detect-time <sec>
+
+ Remember source IP in seconds before reset their score. The default is 1800.
+
+.. cfgcmd:: set service ssh dynamic-protection threshold <sec>
+
+ Block source IP when their cumulative attack score exceeds threshold. The
+ default is 30.
+
Operation
=========