NAME

trackalert - daemon to track and alert on long-term abuse trends for logins

SYNOPSIS

trackalert [OPTION]...

DESCRIPTION

trackalert implements a simple HTTP server that accepts JSON formatted commands that report successful/unsuccessful logins.

trackalert can act as both a client and server. As a server it typically runs under systemd control, although it can also be run as a traditional daemon or in `interactive' mode. As a client, it connects to a trackalert server and provides the same interactive commands.

trackalert is scriptable in Lua, see the trackalert.conf file for a simple example. In fact, all configuration is done using the Lua language, as trackalert.conf is simply a Lua script.

SCOPE

trackalert depends on a system to feed it login reports, which will typically be wforce (configured with a webhook that triggers only on “report”) integrated with it using the HTTP/JSON API.

OPTIONS

-c

Act as a client, connecting to a trackalert instance at the IP/Port specified in the `controlSocket' function in trackalert.conf. A custom configuration file can be specified.

-C,–config FILE

Load configuration from FILE. Note that trackalert will chdir to the directory where the configuration file is located.

-R,–regexes FILE

Read device parsing regexes from FILE (usually regexes.yaml).

-s

Run in foreground, but do not spawn a console. Use this switch to run trackalert inside a supervisor (use with e.g. systemd and daemontools).

-d,–daemon

Operate as a daemon.

-e,–execute CMD

Connect to trackalert and execute CMD.

-f,–facility FACILITY NAME

Log using the specified facility name, e.g. local0

-l,–loglevel <0-7>

Logs sent to stdout will be filtered according to the specified log level, matching the equivalent syslog level (0 - Emerg to 7 - Debug).

-h,–help

Display a helpful message and exit.

CONSOLE COMMANDS

The following commands can be run from the console when trackalert is started with the -c option.

•

makeKey() - Returns a string to be used in the setKey() function in trackalert.conf to authenticate sibling communications. All siblings must be configured with the same key.

•

stats() - Returns statistics about the trackalert process. For example:

•

showACL() - Returns the configured ACLs for the trackalert server.

•

showCustomWebHooks() - Returns information about configured custom webhooks. For example:

•

showPerfStats() - Returns information about performance statistics. Stats beginning with WTW refer to the time that worker threads waited in a queue before running. Stats beginning with WTR refer to the time that worker threads took to run. Each stat is in a bucket, where each bucket represents a time range in ms, e.g. 0-1. A server that is not overloaded will have most stats in the 0-1 buckets. For example:

•

showCommandStats() - Returns information about the number of REST API commands that have been called, including custom endpoints. Stats are for the previous 5 mins, and due to the counting method, may be approximate when the numbers get very large. For example:

•

showCustomStats() - Returns information about custom stats that are incremented from Lua. Stats are for the previous 5 mins, and due to the counting method, may be approximate when the numbers get very large. For example:

•

reloadGeoIPDBs() - Reload all GeoIP DBs that have been initialized. For example:

•

showVersion() - Returns the current version of the trackalert server. For example:

SEE ALSO

trackalert.conf(5) trackalert_api(7)

AUTHORS

Open-Xchange.