Hi Justin, On Tue, Sep 30, 2014 at 10:29:13AM -0400, Justin Kala wrote:
2014-09-28T14:12:44-04:00 abcdef01-app/abcdef01-app sshd[11019]: [ID 800047 auth.notice] Failed password for root from 100.200.255.01 port 54438 ssh2 2014-09-28T14:03:46-04:00 abcdef01-app/abcdef01-app sshd[27420]: [ID 800047 auth.notice] Failed publickey for root from 100.200.255.02 port 59219 ssh2 2014-09-28T14:08:28-04:00 abcdef01-app/abcdef01-app sshd[3954]: [ID 800047 auth.notice] Failed keyboard-interactive for root from 100.200.255.03 port 65410 ssh2 2014-09-28T14:10:11-04:00 abcdef01-app/abcdef01-app sshd[5222]: [ID 293258 auth.error] libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
As it happens, these rules are already out there on github, you can just grab them [1]. That being said, you'll have a slight problem as you seem to be logging from Solaris machines, which unfortunately pollute the message with a msgid. You can either change the patterndb rules, or disable that IMHO useless feature by modifying /kernel/drv/log.conf and optionally using 'echo log_msgid/W0 | adb -kw' [2]. Hope this helps [1] https://github.com/balabit/syslog-ng-patterndb [2] http://docs.oracle.com/cd/E19620-01/806-1650/6jau1364v/index.html