diff --git a/.gitignore b/.gitignore index 3c600ac..5333118 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ go-audit go-audit.yaml +!examples/** *.pprof *.test *.deb diff --git a/examples/README.md b/examples/README.md new file mode 100644 index 0000000..76b88df --- /dev/null +++ b/examples/README.md @@ -0,0 +1,16 @@ +## examples ## + +The following folders contain configs for each program, together they should give you a strong +starting point for running all of this in production. + +These configs are targeted for everything running on a single Ubuntu 14.04 or 16.04 host. They _should_ +work for other distributions but may require some modification. + +Set everything up in the following order: + +1. [`elasticsearch`](./elasticsearch) +1. [`streamstash`](./streamstash) +1. [`rsyslog`](./rsyslog) +1. [`go-audit`](./go-audit) +1. [`kibana`](./kibana) +1. [`elastalert`](./elastalert) diff --git a/examples/elastalert/README.md b/examples/elastalert/README.md new file mode 100644 index 0000000..b8a78dd --- /dev/null +++ b/examples/elastalert/README.md @@ -0,0 +1,57 @@ +## elastalert ## + +### Things to install + +- `python` +- `python-dev` +- `pip` +- `gcc` + +On Ubuntu: + +``` +sudo apt install python python-dev python-pip gcc +``` + +[elastalert docs](http://elastalert.readthedocs.io/en/latest/running_elastalert.html#downloading-and-configuring) has a +good guide to getting setup. + +A TLDR version: + +``` +sudo pip install --upgrade setuptools pip +cd /opt +sudo git clone https://github.com/Yelp/elastalert.git +cd elastalert +sudo python setup.py install +sudo pip install -r requirements.txt +# just answer the defaults for this one +elastalert-create-index --host localhost --port 9200 --no-ssl --no-auth +``` + +Place the files: + +- [`elastalert.yaml`](./elastalert.yaml) +- [`run_uptime.yaml`](./run_uptime.yaml) +- [`systemd.service`](./systemd.service) - if running `systemd` +- [`upstart.conf`](./upstart.conf) - if running `upstart` + +Logs will be sent to syslog, usually end up at `/var/log/syslog` + +Once all that is done you can test the `run_uptime.yaml` rule with (you may want to run `uptime` first) + +``` +uptime +elastalert-test-rule --config /etc/elastalert.yaml /opt/elastalert_rules/run_uptime.yaml +``` + +You should see a big json blob of you running `uptime`! + +Start or restart `elastalert` + +- 14.04 - `sudo start elastalert` +- 16.04 - `sudo systemctl start elastalert.service` + +Logs will be sent to syslog, usually end up at `/var/log/syslog` + +Alerts will be sent to `/tmp/alerts` diff --git a/examples/elastalert/elastalert.yaml b/examples/elastalert/elastalert.yaml new file mode 100644 index 0000000..c88b560 --- /dev/null +++ b/examples/elastalert/elastalert.yaml @@ -0,0 +1,48 @@ +# /etc/elastalert.yaml +rules_folder: /opt/elastalert_rules + +# How often ElastAlert will query Elasticsearch +# The unit can be anything from weeks to seconds +run_every: + seconds: 5 + +# ElastAlert will buffer results from the most recent +# period of time, in case some log sources are not in real time +buffer_time: + minutes: 45 + +# The Elasticsearch hostname for metadata writeback +# Note that every rule can have its own Elasticsearch host +es_host: 127.0.0.1 + +# The Elasticsearch port +es_port: 9200 + +# Optional URL prefix for Elasticsearch +#es_url_prefix: elasticsearch + +# Connect with TLS to Elasticsearch +#use_ssl: True + +# Verify TLS certificates +#verify_certs: True + +# GET request with body is the default option for Elasticsearch. +# If it fails for some reason, you can pass 'GET', 'POST' or 'source'. +# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport +# for details +#es_send_get_body_as: GET + +# Option basic-auth username and password for Elasticsearch +#es_username: someusername +#es_password: somepassword + +# The index on es_host which is used for metadata storage +# This can be a unmapped index, but it is recommended that you run +# elastalert-create-index to set a mapping +writeback_index: elastalert_status + +# If an alert fails for some reason, ElastAlert will retry +# sending the alert until this time period has elapsed +alert_time_limit: + days: 2 diff --git a/examples/elastalert/run_uptime.yaml b/examples/elastalert/run_uptime.yaml new file mode 100644 index 0000000..90ebc08 --- /dev/null +++ b/examples/elastalert/run_uptime.yaml @@ -0,0 +1,18 @@ +# /opt/elastalert_rules/run_uptime.yaml +name: go-audit run uptime +index: streamstash-%Y.%m.%d +use_strftime_index: true +type: any +filter: +- query: + query_string: + query: go-audit.execve.command:uptime +# write alerts to /tmp/alerts for debugging purposes +alert: +- command +pipe_match_json: true +command: ["/usr/bin/tee", "-a", "/tmp/alerts"] +# Enable email alerts: +#alert: +#- email +#email: YOUR-EMAIL@SOMEWHERE.COM diff --git a/examples/elastalert/systemd.service b/examples/elastalert/systemd.service new file mode 100644 index 0000000..092a043 --- /dev/null +++ b/examples/elastalert/systemd.service @@ -0,0 +1,11 @@ +# /etc/systemd/system/elastalert.service +[Unit] +Description = elastalert +After=network.target + +[Service] +Type = simple +ExecStart = /usr/local/bin/elastalert --config /etc/elastalert.yaml + +[Install] +WantedBy = multi-user.target diff --git a/examples/elastalert/upstart.conf b/examples/elastalert/upstart.conf new file mode 100644 index 0000000..040607d --- /dev/null +++ b/examples/elastalert/upstart.conf @@ -0,0 +1,24 @@ +# /etc/init/elastalert.conf +description "elastalert" + +start on runlevel [2345] +stop on runlevel [!2345] + +respawn +respawn limit 10 5 + +setuid nobody +setgid nogroup + +chdir /opt/elastalert + +script + set -e + rm -f "/tmp/elastalert.log" + mkfifo "/tmp/elastalert.log" + (setsid logger -t"elastalert" <"/tmp/elastalert.log" &) + exec >"/tmp/elastalert.log" 2>"/tmp/elastalert.log" + rm "/tmp/elastalert.log" + + exec /usr/local/bin/elastalert --config /etc/elastalert.yaml +end script diff --git a/examples/elasticsearch/README.md b/examples/elasticsearch/README.md new file mode 100644 index 0000000..f4ba156 --- /dev/null +++ b/examples/elasticsearch/README.md @@ -0,0 +1,45 @@ +## elasticsearch ## + +Very bare bones approach to getting elasticsearch running + +## Things to install ## + +- `java` +- [`elasticsearch`](https://www.elastic.co/downloads/past-releases/elasticsearch-2-4-1) - Avoid using 5.x until [elastalert supports it](https://github.com/Yelp/elastalert/issues/510) +- [`kopf`](https://github.com/lmenezes/elasticsearch-kopf) - makes ops a lot easier + +On Ubuntu 16.04: + +``` +sudo apt install openjdk-8-jre-headless +``` + +On Ubuntu 14.04: + +``` +sudo apt install openjdk-7-jre-headless +``` + +On Ubuntu: + +``` +wget https://download.elastic.co/elasticsearch/release/org/elasticsearch/distribution/deb/elasticsearch/2.4.1/elasticsearch-2.4.1.deb +sudo dpkg -i elasticsearch-2.4.1.deb +``` + +Place the files + +- [`elasticsearch.yml`](./elasticsearch.yml) + +Start or restart `elasticsearch` + +- 14.04 - `sudo /etc/init.d/elasticsearch start` +- 16.04 - `sudo systemctl start elasticsearch.service` + +Once the service is running apply the [`mapping.json`](./mapping.json) template to prepare for `streamstash` logs + +``` +curl -d @mapping.json http://localhost:9200/_template/streamstash +``` + +Logs are usually at `/var/log/elasticsearch/elasticsearch.log` diff --git a/examples/elasticsearch/elasticsearch.yml b/examples/elasticsearch/elasticsearch.yml new file mode 100644 index 0000000..e90878b --- /dev/null +++ b/examples/elasticsearch/elasticsearch.yml @@ -0,0 +1,3 @@ +# /etc/elasticsearch/elasticsearch.yml +network.host: [ _site_, _local_ ] +node.name: ${HOSTNAME} diff --git a/examples/elasticsearch/mapping.json b/examples/elasticsearch/mapping.json new file mode 100644 index 0000000..7dc13cc --- /dev/null +++ b/examples/elasticsearch/mapping.json @@ -0,0 +1,41 @@ +{ + "template": "streamstash-*", + "mappings": { + "_default_": { + "dynamic_templates": [ + { + "message_field": { + "mapping": { + "index": "analyzed", + "omit_norms": true, + "type": "string" + }, + "match_mapping_type": "string", + "match": "message" + } + }, + { + "string_fields": { + "mapping": { + "index": "analyzed", + "omit_norms": true, + "type": "string", + "fields": { + "raw": { + "index": "not_analyzed", + "type": "string" + } + } + }, + "match_mapping_type": "string", + "match": "*" + } + } + ], + "_all": { + "omit_norms": true, + "enabled": true + } + } + } +} diff --git a/examples/go-audit/README.md b/examples/go-audit/README.md new file mode 100644 index 0000000..1f5cdec --- /dev/null +++ b/examples/go-audit/README.md @@ -0,0 +1,37 @@ +## go-audit ## + +The files here will get `go-audit` logging to `rsyslog` and has a decent default ruleset. + +An upstart config and systemd unit are provided as well + +### Things to install + +- `auditd` - the one that comes with your distro is fine, we just need `auditctl` for now + - ie: `sudo apt install auditd` +- [`golang`](https://golang.org/dl/) - so you can compile `go-audit` + +On Ubuntu: + +``` +sudo apt install auditd golang +``` + +To install `go-audit` + +``` +make +sudo cp go-audit /usr/local/bin +``` + +Place the files: + +- [`go-audit.yaml`](./go-audit.yaml) +- [`systemd.service`](./systemd.service) - if running `systemd` +- [`upstart.conf`](./upstart.conf) - if running `upstart` + +Start or restart `go-audit` + +- 14.04 - `sudo start go-audit` +- 16.04 - `sudo systemctl start go-audit.service` + +Logs will be in `elasticsearch` diff --git a/examples/go-audit/go-audit.yaml b/examples/go-audit/go-audit.yaml new file mode 100644 index 0000000..ad82888 --- /dev/null +++ b/examples/go-audit/go-audit.yaml @@ -0,0 +1,43 @@ +# /etc/go-audit.yaml + +canary: true + +# use /var/run/go-audit.sock to write events +output: + syslog: + attempts: 15 + enabled: true + network: unix + address: /var/run/go-audit.sock + priority: 132 + tag: go-audit + +# log an event when we believe a message has been lost +message_tracking: + enabled: true + log_out_of_order: false + max_out_of_order: 500 + +rules: + - -b 1024 + # required if you set canary: true + - -w /proc/net/netlink -p war -k netlink-file + # watch interesting network events + - -a exit,always -S connect + - -a exit,always -S listen + # watch execve for everything that has an auid set (ignores things like cron) + - -a exit,always -F arch=b64 -F auid!=-1 -S execve -k user_commands + - -a exit,always -F arch=b32 -F auid!=-1 -S execve -k user_commands + # failure to access file because of perms + - -a always,exit -F arch=b32 -S open -S openat -F exit=-EACCES -k access + - -a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k access + - -a always,exit -F arch=b32 -S open -S openat -F exit=-EPERM -k access + - -a always,exit -F arch=b64 -S open -S openat -F exit=-EPERM -k access + +filters: + # reduce the number of connect syscall events being logged + - syscall: 42 + message_type: 1306 + # 0200....7F - ipv4 on any port to 127.x.x.x + # 01 - local/unix domain sockets + regex: saddr=(0200....7F|01) diff --git a/examples/go-audit/systemd.service b/examples/go-audit/systemd.service new file mode 100644 index 0000000..9919de3 --- /dev/null +++ b/examples/go-audit/systemd.service @@ -0,0 +1,12 @@ +# /etc/systemd/system/go-audit.service +[Unit] +Description = go-audit +After=network.target auditd.service +Conflicts = auditd.service + +[Service] +Type = simple +ExecStart = /usr/local/bin/go-audit -config /etc/go-audit.yaml + +[Install] +WantedBy = multi-user.target diff --git a/examples/go-audit/upstart.conf b/examples/go-audit/upstart.conf new file mode 100644 index 0000000..5f6cb4b --- /dev/null +++ b/examples/go-audit/upstart.conf @@ -0,0 +1,24 @@ +# /etc/init/go-audit.conf + +description "go-audit" + +start on runlevel [2345] +stop on runlevel [!2345] + +respawn +respawn limit 10 5 + +script + # redirect stdout and stderr to syslog + set -e + rm -f "/tmp/go-audit.log" + mkfifo "/tmp/go-audit.log" + (setsid logger -t"go-audit" <"/tmp/go-audit.log" &) + exec >"/tmp/go-audit.log" 2>"/tmp/go-audit.log" + rm "/tmp/go-audit.log" + + # There can be only one auditd + /etc/init.d/auditd stop || true + + exec /usr/local/bin/go-audit -config=/etc/go-audit.yaml +end script diff --git a/examples/kibana/README.md b/examples/kibana/README.md new file mode 100644 index 0000000..f687c7e --- /dev/null +++ b/examples/kibana/README.md @@ -0,0 +1,33 @@ +## kibana ## + +There isn't really any file based configuration required to make `kibana` work. + +Download and install the version compatible with your elasticsearch version: +- [4.x](https://www.elastic.co/downloads/past-releases/kibana-4-6-2) (if running elasticsearch 2.x) + +On Ubuntu: + +``` +wget https://download.elastic.co/kibana/kibana/kibana-4.6.2-amd64.deb +sudo dpkg -i kibana-4.6.2-amd64.deb +``` + +Start or restart `kibana` + +- 14.04 - `sudo /etc/init.d/kibana start` +- 16.04 - `sudo systemctl start kibana.service` + +You will need to have installed and setup `rsyslog`, `go-audit`, and `streamstash` before you can complete the +install + +When you visit `kibana` for the first time in a web browser, usually via `http://someip:5601`, it will have you +do a one time setup. + +You will want to set: + +- `Index name or pattern` = `streamstash-*` +- `Time-field name` = `@timestamp` + +You can now hit `create` and then `Discover`, you should start to see data! + +Logs will be sent to syslog, usually end up at `/var/log/syslog` diff --git a/examples/rsyslog/01-go-audit.conf b/examples/rsyslog/01-go-audit.conf new file mode 100644 index 0000000..987b728 --- /dev/null +++ b/examples/rsyslog/01-go-audit.conf @@ -0,0 +1,47 @@ +# /etc/rsyslog.d/01-go-audit.conf + +# Give us higher resolution timestamps +template( + name="LongTagForwardFormat" + type="string" + string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg%" +) + +# rulesets make it easier to target this output +ruleset( + name="go-audit-output" + queue.discardmark="1000" + queue.discardseverity="0" + queue.size="1000" + queue.type="LinkedList" +){ + + # send everything to streamstash via relp + action( + type="omrelp" + name="streamstash-relp" + target="127.0.0.1" + port="5514" + template="LongTagForwardFormat" + action.resumeRetryCount="-1" + windowSize="1000" + queue.discardmark="50000" + queue.discardseverity="0" + queue.size="50000" + queue.type="LinkedList" + ) +} + +# Expose a sock stream socket for log lines > 128kb +input(type="imptcp" path="/var/run/go-audit.sock" unlink="on" name="go-audit-input" ruleset="go-audit-output") + +# Capture audit system log lines and stop them from getting to disk, no further processing will happen to these events +if $programname == "go-audit" then { + call go-audit-output + stop +} + +# Tee off interesting auth facility log lines, matching lines will continue on to other outputs +if $programname == "sshd" or $programname == "sudo" then { + call go-audit-output +} diff --git a/examples/rsyslog/50-default.conf b/examples/rsyslog/50-default.conf new file mode 100644 index 0000000..db97fbc --- /dev/null +++ b/examples/rsyslog/50-default.conf @@ -0,0 +1,20 @@ +# /etc/rsyslog.d/50-default.conf + +# These rules output to +# /var/log/syslog +# /var/log/kern.log +# /var/log/auth.log + +if prifilt("auth,authpriv.*") then { + # Log all auth events to auth.log, fsync after each event + action(name="auth-log" type="omfile" file="/var/log/auth.log" sync="on") + +} else { + # Log everything but auth events to syslog, don't fsync + action(name="syslog" type="omfile" file="/var/log/syslog" sync="off") + + if prifilt("kern.*") then { + # Log all kernel events to kern.log, don't fsync + action(name="kern_log" type="omfile" file="/var/log/kern.log" sync="off") + } +} diff --git a/examples/rsyslog/README.md b/examples/rsyslog/README.md new file mode 100644 index 0000000..899cbfb --- /dev/null +++ b/examples/rsyslog/README.md @@ -0,0 +1,53 @@ +## rsyslog ## + +The files here will configure `rsyslog` to do the normal system logging that you are probably used to +as well as prepare for ingesting `go-audit` events and outputting them to `streamstash` + +### Things to install + +The following packages (and their dependencies) are required for the config to work properly. You can find the +latest versions [here](http://www.rsyslog.com/downloads/download-v8-stable/) + +Version 8.20 is the minimum version for all this to work properly + +- `rsyslog` +- `rsyslog-imptcp` +- `rsyslog-relp` +- [`go-rsyslog-pstats`](https://github.com/slackhq/go-rsyslog-pstats) - (optional) takes process stats from rsyslog and + sends them to `statsite` or `statsd`, helpful for debugging issues + +On Ubuntu: + +``` +sudo add-apt-repository ppa:adiscon/v8-stable +sudo apt update +sudo apt install rsyslog rsyslog-imptcp rsyslog-relp +``` + +Place the files: + +- [`rsyslog.conf`](./rsyslog.conf) +- [`01-go-audit.conf`](./01-go-audit.conf) +- [`50-default.conf`](./50-default.conf) + +Start or restart `rsyslog` + +- 14.04 - `sudo restart rsyslog` +- 16.04 - `sudo systemctl start rsyslog.service` + +### Debugging ### + +If you are having issues with your config you can get more information by running `rsyslog` directly + +``` +sudo rsyslogd -n +``` + +or with lots of debug info + +``` +sudo rsyslogd -nd +``` + +You may have to background the process to quit + diff --git a/examples/rsyslog/rsyslog.conf b/examples/rsyslog/rsyslog.conf new file mode 100644 index 0000000..56fe1ad --- /dev/null +++ b/examples/rsyslog/rsyslog.conf @@ -0,0 +1,53 @@ +# /etc/rsyslog.conf + +# modules + +module(load="imuxsock" sysSock.rateLimit.Interval="0") +module(load="imklog" permitNonKernelFacility="on") +module(load="imptcp") + +module(load="omprog") +module(load="omrelp") + +module( + load="builtin:omfile" + template="RSYSLOG_TraditionalFileFormat" + fileOwner="syslog" + fileGroup="adm" + fileCreateMode="0644" + dirCreateMode="0755" +) + +# global directives + +global ( + parser.escapeControlCharactersCStyle="on" + parser.escapeControlCharactersOnReceive="on" + action.reportSuspensionContinuation="on" + maxMessageSize="1024k" + WorkDirectory="/var/spool/rsyslog" +) + +main_queue( + queue.dequeueBatchSize="100000" + queue.fileName="main" + queue.size="100000" + queue.type="LinkedList" + queue.saveOnShutdown="on" + queue.maxFileSize="1g" +) + +$RepeatedMsgReduction off +$Umask 0022 +$PrivDropToUser syslog +$PrivDropToGroup syslog + +# record process stats using +# https://github.com/slackhq/go-rsyslog-pstats for more info +#ruleset(name="pstats"){ +# action(type="omprog" name="pstats" binary="/usr/local/bin/go-rsyslog-pstats --port 8125") +#} +#module(load="impstats" interval="10" severity="7" format="json" ruleset="pstats") + +# Include all config files in /etc/rsyslog.d/ +$IncludeConfig /etc/rsyslog.d/*.conf diff --git a/examples/streamstash/README.md b/examples/streamstash/README.md new file mode 100644 index 0000000..312eef8 --- /dev/null +++ b/examples/streamstash/README.md @@ -0,0 +1,43 @@ +## streamstash ## + +The following config will get `streamstash` handling events for the local machine. `go-audit`, `sshd`, and `sudo` logs +will be parsed. + +An upstart config and systemd unit are provided as well + + +### Things to install + +- [`nodejs`](https://nodejs.org/en/download/) - latest v4.x LTS is advised, should work on v6.x LTS + +On Ubuntu: + +``` +sudo apt install nodejs-legacy npm git +``` + +On Ubuntu 14.04: + +``` +# 14.04 ships with a very old version of node and npm so you'll need to update npm +sudo npm install -g npm +``` + +To install `streamstash` + +``` +sudo npm install -g https://github.com/nbrownus/streamstash#2.0 +``` + +Place the files: + +- [`streamstash.js`](./streamstash.js) +- [`systemd.service`](./systemd.service) - if running `systemd` +- [`upstart.conf`](./upstart.conf) - if running `upstart` + +Start or restart `streamstash` + +- 14.04 - `sudo start streamstash` +- 16.04 - `sudo systemctl start streamstash.service` + +Logs will be sent to syslog, usually end up at `/var/log/syslog` diff --git a/examples/streamstash/streamstash.js b/examples/streamstash/streamstash.js new file mode 100644 index 0000000..f60d7d6 --- /dev/null +++ b/examples/streamstash/streamstash.js @@ -0,0 +1,94 @@ +// /etc/streamstash.js + +// Pause inputs if we have this many items in memory +streamStash.highWatermark = 30000 + +// Emit telemtry to statsite or statsd +telemetry('localhost', 8125) + +// Listen for relp connections on localhost:5514 +addInputPlugin('relp', { host: '127.0.0.1', port: 5514 }) + +// Send logs to elasticsearch on localhost:9200 +addOutputPlugin( + 'elasticsearch', + { + typeField: '_type', + timestampField: '@timestamp', + hostname: '127.0.0.1', + port: '9200', + batchSize: 500, + indexPrefix: 'streamstash' + } +) + +// If you are having issues and want to make sure events are flowing you can uncomment the following line +// and run streamstash in a terminal +//addOutputPlugin('stdout') + +addFilter(function (event) { + // Only work with events that has a syslog object, which is probably everything + if (event.data.hasOwnProperty('syslog') === false) { + return event.next() + } + + // Strip the pid from the service + if (matches = /(.*)\[([0-9]*)\]$/.exec(event.data.syslog.service)) { + event.data.syslog.service = matches[1] + event.data.syslog.service_pid = matches[2] + } + + // Parse events from specific services + switch (event.data.syslog.service) { + case 'sshd': + StreamStash.parsers.sshdParser(event) + break + + case 'sudo': + StreamStash.parsers.sudoParser(event) + break + + case 'go-audit': + // If you get sick of seeing the unparsed 1305 messages in kibana, uncomment this line + // if (event.data.message.indexOf('"type":1305') >= 0) { + // return event.cancel() + // } + + StreamStash.parsers.goAuditParser(event) + break + + default: + // Puts the json document in a field named after the parsed syslog service + // This is an attempt to eliminate mapping conflicts in elasticsearch + StreamStash.parsers.jsonParser(event, '_type', false, event.data.syslog.service) + } + + // Rename syslog specific things and drop useless to us fields + if (event.data.syslog.hasOwnProperty('facilityName')) { + event.data.syslog['facility'] = event.data.syslog.facilityName + delete event.data.syslog['facilityName'] + } + + if (event.data.syslog.hasOwnProperty('severityName')) { + event.data.syslog['severity'] = event.data.syslog.severityName + delete event.data.syslog['severityName'] + } + + if (event.data.syslog.hasOwnProperty('service')) { + event.data['_type'] = event.data.syslog.service + } + + delete event.data.syslog['priority'] + + // Use the timestamp from the parsed data, if any + if (event.data.syslog.hasOwnProperty('timestamp')) { + event.data['@timestamp'] = event.data.syslog.timestamp + } + + // Worst case use the timestamp from when the input received the event + if (event.data.hasOwnProperty('@timestamp') === false && event.data.event_source.hasOwnProperty('timestamp')) { + event.data['@timestamp'] = event.data.event_source.timestamp + } + + event.next() +}) diff --git a/examples/streamstash/systemd.service b/examples/streamstash/systemd.service new file mode 100644 index 0000000..340fa0d --- /dev/null +++ b/examples/streamstash/systemd.service @@ -0,0 +1,14 @@ +# /etc/systemd/system/streamstash.service +[Unit] +Description = streamstash +After=network.target + +[Service] +Type = simple +# You may have to tweak the path to streamstash here +ExecStart = /usr/local/lib/node_modules/streamstash/bin/streamstash /etc/streamstash.js +User=nobody +Group=nogroup + +[Install] +WantedBy = multi-user.target diff --git a/examples/streamstash/upstart.conf b/examples/streamstash/upstart.conf new file mode 100644 index 0000000..67d90c5 --- /dev/null +++ b/examples/streamstash/upstart.conf @@ -0,0 +1,24 @@ +# /etc/init/streamstash.conf +description "streamstash" + +start on runlevel [2345] +stop on runlevel [!2345] + +respawn +respawn limit 10 5 + +kill timeout 32 + +setuid nobody +setgid nogroup + +script + set -e + rm -f "/tmp/streamstash.log" + mkfifo "/tmp/streamstash.log" + (setsid logger -t"streamstash" <"/tmp/streamstash.log" &) + exec >"/tmp/streamstash.log" 2>"/tmp/streamstash.log" + rm "/tmp/streamstash.log" + + exec /usr/lib/node_modules/streamstash/bin/streamstash /etc/streamstash.js +end script