Hello, On 09/23/2010 06:07 PM, Peter Czanik wrote:
Hello,
Attached are the vsftpd login/login failure events I found. There was no trace of logout in the logs.
One more rule, for a situation not addressed yesterday: invalid username: HOST=linux-6y8u MESSAGE=gkr-pam: error looking up user information for: asdf PROGRAM=vsftpd PID=1 LEGACY_MSGHDR=vsftpd[1]: .classifier.class=system .classifier.rule_id=ac8c7834-c7d5-11df-bb3c-000c298c9ba2 usracct.username=asdf usracct.type=login usracct.sessionid=1 usracct.application=vsftpd secevt.verdict=REJECT <rule provider="patterndb" id="ac8c7834-c7d5-11df-bb3c-000c298c9ba2" class="system"> <patterns> <pattern>gkr-pam: error looking up user information for: @ANYSTRING:usracct.username@</pattern> </patterns> <examples> <example> <test_message>gkr-pam: error looking up user information for: asdf</test_message> <test_values> <test_value name="usracct.username">asdf</test_value> </test_values> </example> </examples> <values> <value name="usracct.type">login</value> <value name="usracct.sessionid">$PID</value> <value name="usracct.application">$PROGRAM</value> <value name="secevt.verdict">REJECT</value> </values> <tags> <tag>usracct</tag> <tag>secevt</tag> </tags> </rule> Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/