My target is at first is login/logout/login failure events. I'd start with a generic Linux installation and try to cover all applications that perform authentication.
Some logouts + session ended's too: Jul 11 08:09:01 anton-linux CRON[24475]: pam_unix(cron:session): session closed for user root Apr 28 03:34:36 esx1 sshd(pam_unix)[9032]: session closed for user anton Just for fun: VMWare ESX login success Apr 27 01:01:12 esx1 /usr/lib/vmware/hostd/vmware-hostd[1479]: Accepted password for user root from 127.0.0.1 Will send more as I dig thru my archives... -- Dr. Anton Chuvakin Site: http://www.chuvakin.org Blog: http://www.securitywarrior.org LinkedIn: http://www.linkedin.com/in/chuvakin Consulting: http://www.securitywarriorconsulting.com Twitter: @anton_chuvakin Google Voice: +1-510-771-7106