feat(collector): drop native unix daemon syslog from ingestion

sshd, pam_unix, sudo, CRON, systemd, kernel, rsyslogd, and dbus-daemon
all share the SSH/telnet decky containers and write to the same syslog
socket as DECNET's own emitters. Their output was being parsed and
ingested into the JSON stream, the dashboard, and the profiler — pure
noise: sshd's "Failed password for root from X" duplicates the
auth-helper's structured auth_attempt event, pam_unix repeats it again,
CRON/systemd say nothing about attacker behavior.

Drop these APP-NAMEs in _should_ingest before the JSON write and bus
publish. Raw .log file still captures everything for forensics. The
denylist is overridable with DECNET_COLLECTOR_DROP_APPS so operators
can extend it without code changes.

This commit is contained in:

anti

2026-04-28 19:21:39 -04:00

parent 6055f9c837

commit 88f276e9e7

8 changed files with 134 additions and 3 deletions

									
										3

artifacts/wget.sh
									
										Normal file
									
												View File
												
				@@ -0,0 +1,3 @@

				[0] Downloading 'http://31.56.209.39/wget.sh' ...

				Saving 'wget.sh.1'

				HTTP response 200 OK [http://31.56.209.39/wget.sh]

feat(collector): drop native unix daemon syslog from ingestion

3 artifacts/wget.sh Normal file Unescape Escape View File

3

artifacts/wget.sh Normal file

View File