Sent: Tuesday, July 13, 2010 5:25:13 AM
From: Balazs Scheidler <bazsi@balabit.hu>
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng] patterndb: collect login/logout samples 
Hi,

After getting the generic patterndb policy into shape, I'd like to start
collecting log samples, preferably in a domain that is useful for
everyone.

My target is at first is login/logout/login failure events. I'd start
with a generic Linux installation and try to cover all applications that
perform authentication.
I took a look at that pdb format and was lost. I'll probably learn it eventually, but would just make a mess of it if I tried now. But here are a lot of examples that havent been provided yet.
All messages were generated from RHEL 5 servers

ssh netgroup restricted login (user is valid):
Jul 13 22:58:35 slider.dev.usa.net sshd[16563]: Invalid user phemmer from 165.212.225.134
Jul 13 22:58:35 slider.dev.usa.net sshd[16563]: Failed none for invalid user phemmer from 165.212.225.134 port 49528 ssh2

ssh tcpwrapper (/etc/hosts.deny) restricted login:
Jul 13 23:02:57 admin02.cms.usa.net sshd[7442]: refused connect from 165.212.15.221 (165.212.15.221)

-------------------

su valid login:
Jul 13 22:47:07 admin02.cms.usa.net su: pam_unix(su:session): session opened for user root by phemmer(uid=8129)

su bad pass:
Jul 13 22:31:07 admin02.cms.usa.net su: pam_unix(su:auth): authentication failure; logname=phemmer uid=8129 euid=0 tty=pts/13 ruser=phemmer rhost=  user=root

su bad user generates no message

su log out:
Jul 13 23:07:13 admin02.cms.usa.net su: pam_unix(su:session): session closed for user root

-------------------

sudo valid login:
Jul 13 22:46:46 : phemmer : HOST=admin02 : TTY=pts/13 ; PWD=/home/phemmer ; USER=root ; COMMAND=/bin/ls

sudo bad pass:
Jul 13 22:33:53 admin02.cms.usa.net sudo: pam_unix(sudo:auth): authentication failure; logname=phemmer uid=0 euid=0 tty=/dev/pts/13 ruser= rhost=  user=phemmer
Jul 13 22:34:05 admin02.cms.usa.net sudo:  phemmer : 3 incorrect password attempts ; TTY=pts/13 ; PWD=/home/phemmer ; USER=root ; COMMAND=/bin/ls

sudo bad user:
Jul 13 22:41:13 admin02.cms.usa.net sudo:  phemmer : no passwd entry for asdfh!

-------------------

serial console valid login:
Jul 13 22:46:02 admin02.cms.usa.net login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Jul 13 22:46:02 admin02.cms.usa.net login: DIALUP AT ttyS1 BY root
Jul 13 22:46:02 admin02.cms.usa.net login: ROOT LOGIN ON ttyS1

serial console bad pass:
Jul 13 22:38:34 admin02.cms.usa.net login: FAILED LOGIN 1 FROM (null) FOR root, Authentication failure

serial console bad user:
Jul 13 22:38:56 admin02.cms.usa.net login: pam_unix(login:auth): check pass; user unknown
Jul 13 22:38:56 admin02.cms.usa.net login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=ttyS1 ruser= rhost=
Jul 13 22:38:56 admin02.cms.usa.net login: pam_succeed_if(login:auth): error retrieving information about user asdfjh
Jul 13 22:38:57 admin02.cms.usa.net login: FAILED LOGIN 2 FROM (null) FOR asdfjh, User not known to the underlying authentication module

serial console logout:
Jul 13 23:06:29 admin02.cms.usa.net login: pam_unix(login:session): session closed for user root

-------------------

physical console valid login:
Jul 13 22:42:54 localhost login: ROOT LOGIN ON tty1

physical console bad pass:
Jul 13 22:44:30 localhost login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=root
Jul 13 22:44:32 localhost login: FAILED LOGIN 1 FROM (null) FOR root, Authentication failure

physical console bad user:
Jul 13 22:44:57 localhost login: pam_unix(login:auth): check pass; user unknown
Jul 13 22:44:57 localhost login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Jul 13 22:44:57 localhost login: pam_succeed_if(login:auth): error retrieving information about user shdga
Jul 13 22:44:59 localhost login: FAILED LOGIN 2 FROM (null) FOR shdga, User not known to the underlying authentication module

physical console logout:
Jul 13 23:08:28 localhost login: pam_unix(login:session): session closed for user root

-------------------

VMware server messages are the exact same for both remote console application and web UI.

vmware server valid login:
Jul 13 22:53:49 vmware02 Hostd: Accepted password for user root from 127.0.0.1
Jul 13 22:53:49 vmware02 Hostd: [2010-07-13 22:53:49.705 'Vimsvc' 1098422592 info] [Auth]: User root
Jul 13 22:53:49 vmware02 Hostd: [2010-07-13 22:53:49.706 'ha-eventmgr' 1098422592 info] Event 3 : User root@127.0.0.1 logged in
Jul 13 22:53:49 vmware02 Hostd: [2010-07-13 22:53:49.706 'PropertyProvider' 1098422592 verbose] RecordOp ASSIGN: latestEvent, ha-eventmgr
Jul 13 22:53:49 vmware02 Hostd: [2010-07-13 22:53:49.706 'PropertyProvider' 1098422592 verbose] RecordOp ADD: sessionList["52efdf57-6fa9-a095-a7d3-48ef63421e73"], ha-sessionmgr

vmware server bad user:
Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.677 'ha-eventmgr' 47473126103232 info] Event 2 : Failed login attempt for asdf@127.0.0.1
Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.677 'PropertyProvider' 47473126103232 verbose] RecordOp ASSIGN: latestEvent, ha-eventmgr
Jul 13 22:53:15 vmware02 Hostd: Rejected password for user asdf from 127.0.0.1
Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.677 'Vmomi' 47473126103232 info] Activation [N5Vmomi10ActivationE:0xe5eedc0] : Invoke done [login] on [vim.SessionManager:ha-sessionmgr]
Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.678 'Vmomi' 47473126103232 info] Throw vim.fault.InvalidLogin
Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.678 'Vmomi' 47473126103232 info] Result:
Jul 13 22:53:15 vmware02 Hostd: (vim.fault.InvalidLogin) {    dynamicType = <unset>,     msg = "" }
Jul 13 22:53:15 vmware02 Hostd:

vmware server bad pass:
Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.215 'ha-eventmgr' 1086609728 info] Event 1 : Failed login attempt for root@127.0.0.1
Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.215 'PropertyProvider' 1086609728 verbose] RecordOp ASSIGN: latestEvent, ha-eventmgr
Jul 13 22:51:47 vmware02 Hostd: Rejected password for user root from 127.0.0.1
Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.216 'Vmomi' 1086609728 info] Activation [N5Vmomi10ActivationE:0xe5e3a80] : Invoke done [login] on [vim.SessionManager:ha-sessionmgr]
Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.216 'Vmomi' 1086609728 info] Throw vim.fault.InvalidLogin
Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.216 'Vmomi' 1086609728 info] Result:
Jul 13 22:51:47 vmware02 Hostd: (vim.fault.InvalidLogin) {    dynamicType = <unset>,     msg = "" }
Jul 13 22:51:47 vmware02 Hostd:

vmware server no permissions:
Jul 13 22:54:27 vmware02 Hostd: Accepted password for user phemmer from 127.0.0.1
Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.905 'Vimsvc' 1098688832 info] [Auth]: User phemmer
Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.906 'ha-eventmgr' 1098688832 info] Event 4 : Failed to login user phemmer@127.0.0.1: No permission
Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.906 'PropertyProvider' 1098688832 verbose] RecordOp ASSIGN: latestEvent, ha-eventmgr
Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.906 'Vmomi' 1098688832 info] Activation [N5Vmomi10ActivationE:0xe86bd80] : Invoke done [login] on [vim.SessionManager:ha-sessionmgr]
Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.907 'Vmomi' 1098688832 info] Throw vim.fault.NoPermission
Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.907 'Vmomi' 1098688832 info] Result:
Jul 13 22:54:27 vmware02 Hostd: (vim.fault.NoPermission) {    dynamicType = <unset>,     object = 'vim.Folder:ha-folder-root',     privilegeId = "System.View",     msg = "" }
Jul 13 22:54:27 vmware02 Hostd: