LMF is a log monitoring software that is highly adaptable and enables users to search for specific text within log files.
A duration can also be associated with each rule that will run an optional external command (release) once the rule has been triggered, and the duration has expired. A perfect example of this is demonstrated with the [SSH - Too many login failures] file = /var/log/secure pattern. This rule will dynamically block an IP address for ten minutes associated with a user attempting to log into the server with SSH using a single username more than four times in 1 minute.
LMF allows for incredibly flexible pattern matching, allowing users to identify unique log activity patterns using capturing parentheses. Additionally, triggers, messages, and releases contain information taken from live matches.
The configuration system is quite flexible, allowing LMF to read all files in the configuration directory that end in .conf while setup. This would be similar to placing configuration files in /etc/httpd/conf.d/ with Apache on Linux.
The latest release of LMF comes with updated features, including an integration code that whitelists any IP addresses or CIDR subnets specified in APFs' allow_hosts.rules config file. The iptables.conf rule file has also been added, which comes with a basic port scanning rule that matches the output from iptables.
Overall, the LMF project is an incredibly flexible and powerful log monitoring framework that is perfect for tracking specific activity patterns, blocking IP addresses, and preventing brute force attacks. Anyone looking for a top-tier software solution should consider giving LMF a try.
Version 0.5: N/A