Here's SSH with a successful public key login and subsequent logout: Jul 4 12:28:27 webserver0163 sshd[22134]: Accepted publickey for johnny from 10.10.85.208 port 50674 ssh2 Jul 4 12:28:28 webserver0163 sshd[22136]: Received disconnect from 10.10.85.208: 11: disconnected by user On Wed, Jul 14, 2010 at 2:43 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Tue, 2010-07-13 at 12:37 -0700, Anton Chuvakin wrote:
My target is at first is login/logout/login failure events. I'd start with a generic Linux installation and try to cover all applications that perform authentication.
OK, so here are some:
OS Linux SSH bad pwd Apr 22 16:56:39 support sshd[11354]: Failed password for root from ::ffff:10.10.10.4 port 4027 ssh2 bad user Apr 22 13:41:22 support sshd[11320]: Failed password for illegal user admin from ::ffff:10.10.10.135 port 45629 ssh2 FTP bad pwd Apr 23 14:07:49 support sshd[15069]: Failed password for ftp from ::ffff:10.10.10.171 port 35621 ssh2
OS HP-UX bad pwd Mar 12 08:24:51 server6 sshd[24742]: Failed password for john from 10.10.333.444 port 1420 ssh2
Web Apache 401 10.10.10.100 - - [23/Apr/2007:12:29:55 -0500] "GET /olu/adm/reg.html HTTP/1.1" 401 485
Is login success next, hopefully?
Ahh, I might have put the wording wrong. I've meant login AND logout and login failure.
So let those coming as well.
Great to receive these patterns. I really appreciate them. I hope to get your submissions into shape hopefully today, but worst case this week.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html