On Thu, 2010-07-15 at 16:56 +0200, Balazs Scheidler wrote:
On Tue, 2010-07-13 at 12:47 -0700, Anton Chuvakin wrote:
My target is at first is login/logout/login failure events. I'd start with a generic Linux installation and try to cover all applications that perform authentication.
Some logouts + session ended's too:
Jul 11 08:09:01 anton-linux CRON[24475]: pam_unix(cron:session): session closed for user root
This is a cron message, not an sshd message, so not strictly a user login/logout, though it could be interpreted as such.
Apr 28 03:34:36 esx1 sshd(pam_unix)[9032]: session closed for user anton
gee, reusing the program field, just to make it more difficult. This means that we'd need several patterns for the program name field. Not difficult, just another reason to adjust the patterndb format.
Talked to Marci about this one. patterndb seems to do a prefix match, so our 'sshd' rule will match just fine. Anyway, the ability to specify multiple patterns for the ruleset will probably be needed. Also, if the pam_unix part is not in the message, but rather in the program name field, then we need to add this as a separate rule. Here it comes: + <rule provider="patterndb" id="a2f96b71-6c5e-413e-92c2-75e9d66c0119" class="system"> + <patterns> + <pattern>session closed for user @ANYSTRING:usracct.username:@</pattern> + </patterns> + <examples> + <example> + <test_message program="sshd(pam_unix)">session closed for user bazsi</test_message> + <test_values> + <test_value name="usracct.username">bazsi</test_value> + </test_values> + </example> + </examples> + <values> + <value name="usracct.type">logout</value> + <value name="usracct.sessionid">$PID</value> + <value name="usracct.application">$PROGRAM</value> + </values> + <tags> + <tag>usracct</tag> + </tags> + </rule>
Just for fun:
VMWare ESX login success
Apr 27 01:01:12 esx1 /usr/lib/vmware/hostd/vmware-hostd[1479]: Accepted password for user root from 127.0.0.1
Nice.
Thanks a lot, I'll add this somewhat later. I got distracted by other things.
I've added this too to vm/vmware-esx.pdb Do you perhaps have the logout & login failure messages for this? Thanks. -- Bazsi