<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#0050d0">
Sent: Tuesday, July 13, 2010 5:25:13 AM<br>
From: Balazs Scheidler <a class="moz-txt-link-rfc2396E" href="mailto:bazsi@balabit.hu"><bazsi@balabit.hu></a><br>
To: <a class="moz-txt-link-abbreviated" href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a> <br>
Subject: [syslog-ng] patterndb: collect login/logout samples
<blockquote cite="mid:1279020313.18207.116.camel@bzorp.lan" type="cite">
<pre wrap="">Hi,
After getting the generic patterndb policy into shape, I'd like to start
collecting log samples, preferably in a domain that is useful for
everyone.
My target is at first is login/logout/login failure events. I'd start
with a generic Linux installation and try to cover all applications that
perform authentication.
</pre>
</blockquote>
I took a look at that pdb format and was lost. I'll probably learn it
eventually, but would just make a mess of it if I tried now. But here
are a lot of examples that havent been provided yet.<br>
All messages were generated from RHEL 5 servers<br>
<br>
ssh netgroup restricted login (user is valid):<br>
Jul 13 22:58:35 slider.dev.usa.net sshd[16563]: Invalid user phemmer
from 165.212.225.134<br>
Jul 13 22:58:35 slider.dev.usa.net sshd[16563]: Failed none for invalid
user phemmer from 165.212.225.134 port 49528 ssh2<br>
<br>
ssh tcpwrapper (/etc/hosts.deny) restricted login:<br>
Jul 13 23:02:57 admin02.cms.usa.net sshd[7442]: refused connect from
165.212.15.221 (165.212.15.221)<br>
<br>
-------------------<br>
<br>
su valid login:<br>
Jul 13 22:47:07 admin02.cms.usa.net su: pam_unix(su:session): session
opened for user root by phemmer(uid=8129)<br>
<br>
su bad pass:<br>
Jul 13 22:31:07 admin02.cms.usa.net su: pam_unix(su:auth):
authentication failure; logname=phemmer uid=8129 euid=0 tty=pts/13
ruser=phemmer rhost= user=root<br>
<br>
su bad user generates no message<br>
<br>
su log out:<br>
Jul 13 23:07:13 admin02.cms.usa.net su: pam_unix(su:session): session
closed for user root<br>
<br>
-------------------<br>
<br>
sudo valid login:<br>
Jul 13 22:46:46 : phemmer : HOST=admin02 : TTY=pts/13 ;
PWD=/home/phemmer ; USER=root ; COMMAND=/bin/ls<br>
<br>
sudo bad pass:<br>
Jul 13 22:33:53 admin02.cms.usa.net sudo: pam_unix(sudo:auth):
authentication failure; logname=phemmer uid=0 euid=0 tty=/dev/pts/13
ruser= rhost= user=phemmer<br>
Jul 13 22:34:05 admin02.cms.usa.net sudo: phemmer : 3 incorrect
password attempts ; TTY=pts/13 ; PWD=/home/phemmer ; USER=root ;
COMMAND=/bin/ls<br>
<br>
sudo bad user:<br>
Jul 13 22:41:13 admin02.cms.usa.net sudo: phemmer : no passwd entry
for asdfh!<br>
<br>
-------------------<br>
<br>
serial console valid login:<br>
Jul 13 22:46:02 admin02.cms.usa.net login: pam_unix(login:session):
session opened for user root by LOGIN(uid=0)<br>
Jul 13 22:46:02 admin02.cms.usa.net login: DIALUP AT ttyS1 BY root<br>
Jul 13 22:46:02 admin02.cms.usa.net login: ROOT LOGIN ON ttyS1<br>
<br>
serial console bad pass:<br>
Jul 13 22:38:34 admin02.cms.usa.net login: FAILED LOGIN 1 FROM (null)
FOR root, Authentication failure<br>
<br>
serial console bad user:<br>
Jul 13 22:38:56 admin02.cms.usa.net login: pam_unix(login:auth): check
pass; user unknown<br>
Jul 13 22:38:56 admin02.cms.usa.net login: pam_unix(login:auth):
authentication failure; logname=LOGIN uid=0 euid=0 tty=ttyS1 ruser=
rhost=<br>
Jul 13 22:38:56 admin02.cms.usa.net login: pam_succeed_if(login:auth):
error retrieving information about user asdfjh<br>
Jul 13 22:38:57 admin02.cms.usa.net login: FAILED LOGIN 2 FROM (null)
FOR asdfjh, User not known to the underlying authentication module<br>
<br>
serial console logout:<br>
Jul 13 23:06:29 admin02.cms.usa.net login: pam_unix(login:session):
session closed for user root<br>
<br>
-------------------<br>
<br>
physical console valid login:<br>
Jul 13 22:42:54 localhost login: ROOT LOGIN ON tty1<br>
<br>
physical console bad pass:<br>
Jul 13 22:44:30 localhost login: pam_unix(login:auth): authentication
failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=root<br>
Jul 13 22:44:32 localhost login: FAILED LOGIN 1 FROM (null) FOR root,
Authentication failure<br>
<br>
physical console bad user:<br>
Jul 13 22:44:57 localhost login: pam_unix(login:auth): check pass; user
unknown<br>
Jul 13 22:44:57 localhost login: pam_unix(login:auth): authentication
failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=<br>
Jul 13 22:44:57 localhost login: pam_succeed_if(login:auth): error
retrieving information about user shdga<br>
Jul 13 22:44:59 localhost login: FAILED LOGIN 2 FROM (null) FOR shdga,
User not known to the underlying authentication module<br>
<br>
physical console logout:<br>
Jul 13 23:08:28 localhost login: pam_unix(login:session): session
closed for user root<br>
<br>
-------------------<br>
<br>
VMware server messages are the exact same for both remote console
application and web UI.<br>
<br>
vmware server valid login:<br>
Jul 13 22:53:49 vmware02 Hostd: Accepted password for user root from
127.0.0.1<br>
Jul 13 22:53:49 vmware02 Hostd: [2010-07-13 22:53:49.705 'Vimsvc'
1098422592 info] [Auth]: User root<br>
Jul 13 22:53:49 vmware02 Hostd: [2010-07-13 22:53:49.706 'ha-eventmgr'
1098422592 info] Event 3 : User <a class="moz-txt-link-abbreviated" href="mailto:root@127.0.0.1">root@127.0.0.1</a> logged in<br>
Jul 13 22:53:49 vmware02 Hostd: [2010-07-13 22:53:49.706
'PropertyProvider' 1098422592 verbose] RecordOp ASSIGN: latestEvent,
ha-eventmgr<br>
Jul 13 22:53:49 vmware02 Hostd: [2010-07-13 22:53:49.706
'PropertyProvider' 1098422592 verbose] RecordOp ADD:
sessionList["52efdf57-6fa9-a095-a7d3-48ef63421e73"], ha-sessionmgr<br>
<br>
vmware server bad user:<br>
Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.677 'ha-eventmgr'
47473126103232 info] Event 2 : Failed login attempt for <a class="moz-txt-link-abbreviated" href="mailto:asdf@127.0.0.1">asdf@127.0.0.1</a><br>
Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.677
'PropertyProvider' 47473126103232 verbose] RecordOp ASSIGN:
latestEvent, ha-eventmgr<br>
Jul 13 22:53:15 vmware02 Hostd: Rejected password for user asdf from
127.0.0.1<br>
Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.677 'Vmomi'
47473126103232 info] Activation [N5Vmomi10ActivationE:0xe5eedc0] :
Invoke done [login] on [vim.SessionManager:ha-sessionmgr]<br>
Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.678 'Vmomi'
47473126103232 info] Throw vim.fault.InvalidLogin<br>
Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.678 'Vmomi'
47473126103232 info] Result:<br>
Jul 13 22:53:15 vmware02 Hostd: (vim.fault.InvalidLogin) {
dynamicType = <unset>, msg = "" }<br>
Jul 13 22:53:15 vmware02 Hostd:<br>
<br>
vmware server bad pass:<br>
Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.215 'ha-eventmgr'
1086609728 info] Event 1 : Failed login attempt for <a class="moz-txt-link-abbreviated" href="mailto:root@127.0.0.1">root@127.0.0.1</a><br>
Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.215
'PropertyProvider' 1086609728 verbose] RecordOp ASSIGN: latestEvent,
ha-eventmgr<br>
Jul 13 22:51:47 vmware02 Hostd: Rejected password for user root from
127.0.0.1<br>
Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.216 'Vmomi'
1086609728 info] Activation [N5Vmomi10ActivationE:0xe5e3a80] : Invoke
done [login] on [vim.SessionManager:ha-sessionmgr]<br>
Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.216 'Vmomi'
1086609728 info] Throw vim.fault.InvalidLogin<br>
Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.216 'Vmomi'
1086609728 info] Result:<br>
Jul 13 22:51:47 vmware02 Hostd: (vim.fault.InvalidLogin) {
dynamicType = <unset>, msg = "" }<br>
Jul 13 22:51:47 vmware02 Hostd:<br>
<br>
vmware server no permissions:<br>
Jul 13 22:54:27 vmware02 Hostd: Accepted password for user phemmer from
127.0.0.1<br>
Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.905 'Vimsvc'
1098688832 info] [Auth]: User phemmer<br>
Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.906 'ha-eventmgr'
1098688832 info] Event 4 : Failed to login user <a class="moz-txt-link-abbreviated" href="mailto:phemmer@127.0.0.1:">phemmer@127.0.0.1:</a> No
permission<br>
Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.906
'PropertyProvider' 1098688832 verbose] RecordOp ASSIGN: latestEvent,
ha-eventmgr<br>
Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.906 'Vmomi'
1098688832 info] Activation [N5Vmomi10ActivationE:0xe86bd80] : Invoke
done [login] on [vim.SessionManager:ha-sessionmgr]<br>
Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.907 'Vmomi'
1098688832 info] Throw vim.fault.NoPermission<br>
Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.907 'Vmomi'
1098688832 info] Result:<br>
Jul 13 22:54:27 vmware02 Hostd: (vim.fault.NoPermission) {
dynamicType = <unset>, object =
'vim.Folder:ha-folder-root', privilegeId = "System.View", msg =
"" }<br>
Jul 13 22:54:27 vmware02 Hostd:<br>
</body>
</html>