Sent: Tuesday, July 13, 2010 5:25:13 AM From: Balazs Scheidler <bazsi@balabit.hu> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] patterndb: collect login/logout samples
Hi,
After getting the generic patterndb policy into shape, I'd like to start collecting log samples, preferably in a domain that is useful for everyone.
My target is at first is login/logout/login failure events. I'd start with a generic Linux installation and try to cover all applications that perform authentication.
I took a look at that pdb format and was lost. I'll probably learn it eventually, but would just make a mess of it if I tried now. But here are a lot of examples that havent been provided yet. All messages were generated from RHEL 5 servers ssh netgroup restricted login (user is valid): Jul 13 22:58:35 slider.dev.usa.net sshd[16563]: Invalid user phemmer from 165.212.225.134 Jul 13 22:58:35 slider.dev.usa.net sshd[16563]: Failed none for invalid user phemmer from 165.212.225.134 port 49528 ssh2 ssh tcpwrapper (/etc/hosts.deny) restricted login: Jul 13 23:02:57 admin02.cms.usa.net sshd[7442]: refused connect from 165.212.15.221 (165.212.15.221) ------------------- su valid login: Jul 13 22:47:07 admin02.cms.usa.net su: pam_unix(su:session): session opened for user root by phemmer(uid=8129) su bad pass: Jul 13 22:31:07 admin02.cms.usa.net su: pam_unix(su:auth): authentication failure; logname=phemmer uid=8129 euid=0 tty=pts/13 ruser=phemmer rhost= user=root su bad user generates no message su log out: Jul 13 23:07:13 admin02.cms.usa.net su: pam_unix(su:session): session closed for user root ------------------- sudo valid login: Jul 13 22:46:46 : phemmer : HOST=admin02 : TTY=pts/13 ; PWD=/home/phemmer ; USER=root ; COMMAND=/bin/ls sudo bad pass: Jul 13 22:33:53 admin02.cms.usa.net sudo: pam_unix(sudo:auth): authentication failure; logname=phemmer uid=0 euid=0 tty=/dev/pts/13 ruser= rhost= user=phemmer Jul 13 22:34:05 admin02.cms.usa.net sudo: phemmer : 3 incorrect password attempts ; TTY=pts/13 ; PWD=/home/phemmer ; USER=root ; COMMAND=/bin/ls sudo bad user: Jul 13 22:41:13 admin02.cms.usa.net sudo: phemmer : no passwd entry for asdfh! ------------------- serial console valid login: Jul 13 22:46:02 admin02.cms.usa.net login: pam_unix(login:session): session opened for user root by LOGIN(uid=0) Jul 13 22:46:02 admin02.cms.usa.net login: DIALUP AT ttyS1 BY root Jul 13 22:46:02 admin02.cms.usa.net login: ROOT LOGIN ON ttyS1 serial console bad pass: Jul 13 22:38:34 admin02.cms.usa.net login: FAILED LOGIN 1 FROM (null) FOR root, Authentication failure serial console bad user: Jul 13 22:38:56 admin02.cms.usa.net login: pam_unix(login:auth): check pass; user unknown Jul 13 22:38:56 admin02.cms.usa.net login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=ttyS1 ruser= rhost= Jul 13 22:38:56 admin02.cms.usa.net login: pam_succeed_if(login:auth): error retrieving information about user asdfjh Jul 13 22:38:57 admin02.cms.usa.net login: FAILED LOGIN 2 FROM (null) FOR asdfjh, User not known to the underlying authentication module serial console logout: Jul 13 23:06:29 admin02.cms.usa.net login: pam_unix(login:session): session closed for user root ------------------- physical console valid login: Jul 13 22:42:54 localhost login: ROOT LOGIN ON tty1 physical console bad pass: Jul 13 22:44:30 localhost login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=root Jul 13 22:44:32 localhost login: FAILED LOGIN 1 FROM (null) FOR root, Authentication failure physical console bad user: Jul 13 22:44:57 localhost login: pam_unix(login:auth): check pass; user unknown Jul 13 22:44:57 localhost login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= Jul 13 22:44:57 localhost login: pam_succeed_if(login:auth): error retrieving information about user shdga Jul 13 22:44:59 localhost login: FAILED LOGIN 2 FROM (null) FOR shdga, User not known to the underlying authentication module physical console logout: Jul 13 23:08:28 localhost login: pam_unix(login:session): session closed for user root ------------------- VMware server messages are the exact same for both remote console application and web UI. vmware server valid login: Jul 13 22:53:49 vmware02 Hostd: Accepted password for user root from 127.0.0.1 Jul 13 22:53:49 vmware02 Hostd: [2010-07-13 22:53:49.705 'Vimsvc' 1098422592 info] [Auth]: User root Jul 13 22:53:49 vmware02 Hostd: [2010-07-13 22:53:49.706 'ha-eventmgr' 1098422592 info] Event 3 : User root@127.0.0.1 logged in Jul 13 22:53:49 vmware02 Hostd: [2010-07-13 22:53:49.706 'PropertyProvider' 1098422592 verbose] RecordOp ASSIGN: latestEvent, ha-eventmgr Jul 13 22:53:49 vmware02 Hostd: [2010-07-13 22:53:49.706 'PropertyProvider' 1098422592 verbose] RecordOp ADD: sessionList["52efdf57-6fa9-a095-a7d3-48ef63421e73"], ha-sessionmgr vmware server bad user: Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.677 'ha-eventmgr' 47473126103232 info] Event 2 : Failed login attempt for asdf@127.0.0.1 Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.677 'PropertyProvider' 47473126103232 verbose] RecordOp ASSIGN: latestEvent, ha-eventmgr Jul 13 22:53:15 vmware02 Hostd: Rejected password for user asdf from 127.0.0.1 Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.677 'Vmomi' 47473126103232 info] Activation [N5Vmomi10ActivationE:0xe5eedc0] : Invoke done [login] on [vim.SessionManager:ha-sessionmgr] Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.678 'Vmomi' 47473126103232 info] Throw vim.fault.InvalidLogin Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.678 'Vmomi' 47473126103232 info] Result: Jul 13 22:53:15 vmware02 Hostd: (vim.fault.InvalidLogin) { dynamicType = <unset>, msg = "" } Jul 13 22:53:15 vmware02 Hostd: vmware server bad pass: Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.215 'ha-eventmgr' 1086609728 info] Event 1 : Failed login attempt for root@127.0.0.1 Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.215 'PropertyProvider' 1086609728 verbose] RecordOp ASSIGN: latestEvent, ha-eventmgr Jul 13 22:51:47 vmware02 Hostd: Rejected password for user root from 127.0.0.1 Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.216 'Vmomi' 1086609728 info] Activation [N5Vmomi10ActivationE:0xe5e3a80] : Invoke done [login] on [vim.SessionManager:ha-sessionmgr] Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.216 'Vmomi' 1086609728 info] Throw vim.fault.InvalidLogin Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.216 'Vmomi' 1086609728 info] Result: Jul 13 22:51:47 vmware02 Hostd: (vim.fault.InvalidLogin) { dynamicType = <unset>, msg = "" } Jul 13 22:51:47 vmware02 Hostd: vmware server no permissions: Jul 13 22:54:27 vmware02 Hostd: Accepted password for user phemmer from 127.0.0.1 Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.905 'Vimsvc' 1098688832 info] [Auth]: User phemmer Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.906 'ha-eventmgr' 1098688832 info] Event 4 : Failed to login user phemmer@127.0.0.1: No permission Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.906 'PropertyProvider' 1098688832 verbose] RecordOp ASSIGN: latestEvent, ha-eventmgr Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.906 'Vmomi' 1098688832 info] Activation [N5Vmomi10ActivationE:0xe86bd80] : Invoke done [login] on [vim.SessionManager:ha-sessionmgr] Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.907 'Vmomi' 1098688832 info] Throw vim.fault.NoPermission Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.907 'Vmomi' 1098688832 info] Result: Jul 13 22:54:27 vmware02 Hostd: (vim.fault.NoPermission) { dynamicType = <unset>, object = 'vim.Folder:ha-folder-root', privilegeId = "System.View", msg = "" } Jul 13 22:54:27 vmware02 Hostd: