On Tue, 2010-07-13 at 17:12 -0600, Patrick H. wrote:
Sent: Tuesday, July 13, 2010 5:25:13 AM From: Balazs Scheidler <bazsi@balabit.hu> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] patterndb: collect login/logout samples
Hi,
After getting the generic patterndb policy into shape, I'd like to start collecting log samples, preferably in a domain that is useful for everyone.
My target is at first is login/logout/login failure events. I'd start with a generic Linux installation and try to cover all applications that perform authentication.
I took a look at that pdb format and was lost. I'll probably learn it eventually, but would just make a mess of it if I tried now. But here are a lot of examples that havent been provided yet. All messages were generated from RHEL 5 servers
ssh netgroup restricted login (user is valid): Jul 13 22:58:35 slider.dev.usa.net sshd[16563]: Invalid user phemmer from 165.212.225.134 Jul 13 22:58:35 slider.dev.usa.net sshd[16563]: Failed none for invalid user phemmer from 165.212.225.134 port 49528 ssh2
ssh tcpwrapper (/etc/hosts.deny) restricted login: Jul 13 23:02:57 admin02.cms.usa.net sshd[7442]: refused connect from 165.212.15.221 (165.212.15.221)
-------------------
su valid login: Jul 13 22:47:07 admin02.cms.usa.net su: pam_unix(su:session): session opened for user root by phemmer(uid=8129)
su bad pass: Jul 13 22:31:07 admin02.cms.usa.net su: pam_unix(su:auth): authentication failure; logname=phemmer uid=8129 euid=0 tty=pts/13 ruser=phemmer rhost= user=root
su bad user generates no message
su log out: Jul 13 23:07:13 admin02.cms.usa.net su: pam_unix(su:session): session closed for user root
Thanks for your submission. I've added su events to: commit 5e38f9dab2a89e8839829f7740485784accb3baa Author: Balazs Scheidler <bazsi@balabit.hu> Date: Mon Jul 26 18:01:27 2010 +0200 su: added su login/logout/failure rules This patch covers su on Linux with PAM. Submitted-By: Patrick H. The others I still have to mark up. Anyone who could perhaps give a hand at marking up the patterns that Patrick submitted? Would be appreciated. -- Bazsi