Nuhe is

a rule based log monitoring system, which is capable of action when rules are matched againsts log(s) activity. Default Nuhe mode is to run on background (daemon), but it can also be used in foreground and log analyzer mode. Log analyzer mode just analyzes given logs and prints results to stdout; no action is taken when Nuhe is in analyzer mode.

Motive for

Nuhe development started from security point of view and one purpose is to use it as a intrusion protection system that can react against certain kind of log activity. You can also use Nuhe as a vanilla "log filtering" system, that detects events from logs, logs them, but does not react against them.

One example

of Nuhe usage is to use rule that detects multiple SSH connection attemps and drops IP address (e.g. with Linux iptables) where connections are coming. Nuhe is very handy in this situation, because user can configure it to ignore important IP addresses, so they're not blocked by firewall and specify events to be indentified only by IP address information. With that rule and action handler user can paralyze brute force attacks.

However Nuhe

can be described as a general rule based monitoring system which can run system commands in phases based on time and event criteria and hopefully this gives many areas of use for it.

Nuhe  Enterprise Resource Planning System ERP


Configuration file

Default rule files

Saved pending events:

Private key:


Trusted CA file:

Logging file:

Pid file


Default rule files for Nuhe are:
general.rules general purpose rules
openssh.rules OpenSSH specific rules
iptables.rules Linux iptables specific rules

You can modify and add rules or add new rule files in nuhed.conf. Rule is composed of action handler name, Pcre regular expression pattern and description fields. For more information see Nuhe Man page.



Version 0.06 is available
download it here.
MD5 checksum 4c08a59908e5db54b56ec73ef77fccb9


Version 0.06
  • Fixed bug that prevented node manager thread pool to not grow when pool size was under maximum size but all threads were occupied.
  • Fixed cleaning up bug that caused crash when Nuhe sensor runs with configuration file backup in DEFUNC state.
  • Also other fixes and improvements.
  • Added imap4 and pop3 ruleset and fixed ftpd ruleset.