{ "log-fetchers": { "loki-fileserver": { "type": "loki", "config": { "url-from-env": "{LOKI_URL}" } } }, "alert-managers": { "gotify-paris": { "type": "gotify", "config": { "url-from-env": "{GOTIFY_URL}", "token-from-env": "{GOTIFY_TOKEN}" } } }, "alerting-rules": { "ssh-outside": { "check-interval": 30, "log-fetcher": { "name": "loki-fileserver", "filters": { "labels": { "container": "openssh-server" }, "text": "Accepted" } }, "filters": [ { "type": "regexp", "config": { "match": "Accepted (?P\\w+) for (?P\\w+) from (?P[^\\s]+)" } }, { "type": "geolocation", "config": { "source-field": "ip" } } ], "alert-manager": { "name": "gotify-paris", "title": "Outside SSH login", "message": "New SSH login for {username} on {instance} from ip {ip} (country: {country}, provider: {isp}, method: {method})" } }, "ssh-local": { "check-interval": 30, "log-fetcher": { "name": "loki-fileserver", "filters": { "labels": { "filename": "/var/log/host/auth.log" }, "text": "Accepted" } }, "filters": [ { "type": "regexp", "config": { "match": "Accepted (?P\\w+) for (?P\\w+) from (?P[^\\s]+)" } } ], "alert-manager": { "name": "gotify-paris", "title": "Local SSH login", "message": "New SSH login for {username} on {instance} from ip {ip} (method: {method})" } } } }