Add reaction to log management tools

[Chostakovitch]

Thank you for taking the time to work on a PR for Awesome-Sysadmin!

To ensure your PR is dealt with swiftly please check the following:

• Your additions are Free software
• Software you are submitting is not your own, unless you have a healthy ecosystem with a few contributors (which aren't your sock puppet accounts).
• Submit one item per pull request. This eases reviewing and speeds up inclusion.
• Format your submission as follows, where Demo and Clients are optional.
  Do not add a duplicate Source code link if it is the same as the main link.
  Keep the short description under 80 characters and use sentence case
  for it, even if the project's webpage or readme uses another capitalisation.
  Demo links should only be used for interactive demos, i.e. not video demonstrations.
  - [Name](http://homepage/) - Short description, under 250 characters, sentence case. ([Demo](http://url.to/demo), [Source Code](http://url.of/source/code), [Clients](https://url.to/list/of/related/clients-or-apps)) `License` `Language`
• Additions are inserted preserving alphabetical order.
• Additions are not already listed at awesome-selfhosted
• The Language tag is the main server-side requirement for the software. Don't include frameworks or specific dialects.
• You have searched the repository for any relevant issues or PRs, including closed ones.
• Any category you are creating has the minimum requirement of 3 items.
• Any software project you are adding to the list is actively maintained.
• The pull request title is informative, unlike "Update README.md".
  Suggested titles: "Add aaa to bbb" for adding software aaa to section bbb,
  "Remove aaa from bbb" for removing, "Fix license for aaa", etc.

---

Please take some time to answer the following questions as best you can:

• Why is it awesome?

It can replace most fail2ban setups with almost no configuration while being lightweight and efficient. It has additional defaults for matching IPs: management of v4 and v6, CIDR etc. But besides, it is very general-purpose and at the end is so flexible in its core concepts that users can be very creative. What reaction does could in theory be done with ad-hoc scripts, but it has simple yet powerful features: regexps, occurrences counting before action, delayed actions, persistence/replay, and can be configured using Jsonnet, saving a lot of duplication.

• Have you used it? For how long?

I use it on every server I manage for almost a year, as a basic SSH ban tool, but also as a poor's man log alerting solution. And it's great: I really don't need Loki or other heavy log storage and analysis tools. I just need to watch for docker or systemd logs for specific patterns and maybe send alerts.

• Is this in a personal or professional setup?

Professional setups. Right now it is especially popular among French NGOs hosting FLOSS services.

• How many devices/users/services/... do you manage with it?

Counting VMs and hypervisors, probably a few dozens. Some VMs have services with thousands of users, but not sure it is relevant there.

• Biggest pros/cons compared to other solutions?

Pros are definitely being lightweight, simple to start with, written in Rust, complete liberty about commands, good journaling, and choice between YAML and Jsonnet.
Main con, imo, is lacking of specialized, native actions that would make way some stuff easier/more secure/more efficient, such as executing SQL queries, reporting to AbuseIP, sending message to apprise, etc (but a plugin system is being developed).

• Any other comments about your use case, things you've found excellent, limitations you've encountered... ?

For now, reaction's behavior when using multiple named patterns in regexps is slightly counterintuitive, probably because the first use case was to match a single IP. But when it's clarified and along with native/plugin actions, I think reaction will be an unique intermediate between ad-hoc/low-level monitoring and big monitoring stacks.

The community is slowly building, it is partially funded by NLNet, but it is hosted on a small forge and could benefit from wider contributions and opinions, especially because decisions about adding features and configuration options would have to be very cautious to keep its current "simple yet powerful" vibe. So I think it has its place there.

• ⚠️ Conflict of interest

The main maintainer and I belong to the same FLOSS hosters collective known as CHATONS.

Have a nice day!