Won't the user login pattern only catch root logins because of uid=0? <pattern>pam_unix(login:session): session opened for user @ESTRING:usracct.username: @by @ESTRING::(@uid=0)</pattern> Couldn't it be changed to <pattern>pam_unix(login:session): session opened for user @ESTRING:usracct.username: @by @ESTRING::(@uid=@ESTRING:usracct.uid:)@</pattern> On Fri, Oct 29, 2010 at 7:45 AM, Peter Czanik <czanik@balabit.hu> wrote:
Hello,
Attached is a new version of login.pdb (called login2.pdb). It has patterns for many console/terminal/telnet login/logout events. This version should generate one set of name value pairs for each event, and only one.
If you use console/login/telnet for logins, plese give it a try and let me know, how it works for you. I found, that there are some slight variations among messages even between different Ubuntu versions, so I'd like to see, how these patterns work on a larger set of Linux distributions, UNIX revisions.
Thank you for your help, --
Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html