On Tue, 2010-07-13 at 17:12 -0600, Patrick H. wrote:
Sent: Tuesday, July 13, 2010 5:25:13 AM From: Balazs Scheidler <bazsi@balabit.hu> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] patterndb: collect login/logout samples
Hi,
After getting the generic patterndb policy into shape, I'd like to start collecting log samples, preferably in a domain that is useful for everyone.
My target is at first is login/logout/login failure events. I'd start with a generic Linux installation and try to cover all applications that perform authentication.
I took a look at that pdb format and was lost. I'll probably learn it eventually, but would just make a mess of it if I tried now. But here are a lot of examples that havent been provided yet. All messages were generated from RHEL 5 servers
ssh netgroup restricted login (user is valid): Jul 13 22:58:35 slider.dev.usa.net sshd[16563]: Invalid user phemmer from 165.212.225.134 Jul 13 22:58:35 slider.dev.usa.net sshd[16563]: Failed none for invalid user phemmer from 165.212.225.134 port 49528 ssh2
we're using the 2nd log message to identify the login event, the first is just additional information, that would need to be associated with the 2nd via correllation, that we don't have right now. The 2nd form however is covered with the already existing rules.
ssh tcpwrapper (/etc/hosts.deny) restricted login: Jul 13 23:02:57 admin02.cms.usa.net sshd[7442]: refused connect from 165.212.15.221 (165.212.15.221)
This is interesting, however it is not a login event. It is more like a firewall event (e.g. flowevt + secevt in the current schema model), however port information is missing, so it doesn't contain the complete tuple. Anyway, it could perhaps be possible to categorize this under the flowevt schema, but I don't want to open that can of worms yet :)
-------------------
su valid login: Jul 13 22:47:07 admin02.cms.usa.net su: pam_unix(su:session): session opened for user root by phemmer(uid=8129)
Jul 13 22:54:27 vmware02 Hostd:
thanks, these are useful, I just need to get some sleep now. Will get these marked up tomorrow. -- Bazsi