On Tue, 2010-07-13 at 12:47 -0700, Anton Chuvakin wrote:
My target is at first is login/logout/login failure events. I'd start with a generic Linux installation and try to cover all applications that perform authentication.
Some logouts + session ended's too:
Jul 11 08:09:01 anton-linux CRON[24475]: pam_unix(cron:session): session closed for user root
This is a cron message, not an sshd message, so not strictly a user login/logout, though it could be interpreted as such.
Apr 28 03:34:36 esx1 sshd(pam_unix)[9032]: session closed for user anton
gee, reusing the program field, just to make it more difficult. This means that we'd need several patterns for the program name field. Not difficult, just another reason to adjust the patterndb format.
Just for fun:
VMWare ESX login success
Apr 27 01:01:12 esx1 /usr/lib/vmware/hostd/vmware-hostd[1479]: Accepted password for user root from 127.0.0.1
Nice. Thanks a lot, I'll add this somewhat later. I got distracted by other things. -- Bazsi