Hi, Not sure whether the following should be caught. This message is displayed when an unknown user attempts to log in: Jul 13 14:29:34 centos53 sshd[12779]: Failed password for invalid user xxxx from 127.0.0.1 port 40102 ssh2 When the DenyGroups and/or DenyUsers keywords for sshd are used to restrict access (for users in LDAP), the following messages are displayed for users that are not allowed to login: Jul 13 15:05:54 centos53 sshd[13031]: User siem from centos53 not allowed because listed in DenyUsers Jul 13 15:05:58 centos53 sshd[13031]: Failed password for invalid user siem from 127.0.0.1 port 53618 ssh2 and Jul 13 15:09:15 centos53 sshd[13061]: User siem from centos53 not allowed because a group is listed in DenyGroups Jul 13 15:09:22 centos53 sshd[13061]: Failed password for invalid user siem from 127.0.0.1 port 37397 ssh2 When the AllowGroups and/or AllowUsers keywords are used, the following messages are displayed: Jul 13 15:22:01 centos53 sshd[13155]: User siem from centos53 not allowed because not listed in AllowUsers Jul 13 15:22:05 centos53 sshd[13155]: Failed password for invalid user siem from 127.0.0.1 port 49085 ssh2 and Jul 13 15:23:48 centos53 sshd[13180]: User siem from centos53 not allowed because none of user's groups are listed in AllowGroups Jul 13 15:23:53 centos53 sshd[13180]: Failed password for invalid user siem from 127.0.0.1 port 33481 ssh2 regards, Siem Korteweg -----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Balazs Scheidler Verzonden: di 13-7-2010 13:25 Aan: syslog-ng@lists.balabit.hu Onderwerp: [syslog-ng] patterndb: collect login/logout samples Hi, After getting the generic patterndb policy into shape, I'd like to start collecting log samples, preferably in a domain that is useful for everyone. My target is at first is login/logout/login failure events. I'd start with a generic Linux installation and try to cover all applications that perform authentication. As a starter, I've commited access/sshd.pdb, containing three rules for OpenSSH login/logout/login failure events. I'd head towards standard services, ftp, pop3 and imap authentication, using their "default" implementation in Ubuntu/Debian. (if there's no default, I'll just pick one at random). If any of you can collect these 3 samples of any of the applications that you run daily on your system and submit them here, it'd be tremendous use and would be appreciated. The format of the submission would be preferred in patterndb format (see the ssh sample I've just pushed), but if you are afraid of that, even simple samples would be useful, I'll do the markup myself. -- Bazsi _____________________________________________________________________________ _ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html