Hello, On 10/29/2010 04:32 PM, Martin Holste wrote:
Won't the user login pattern only catch root logins because of uid=0?
<pattern>pam_unix(login:session): session opened for user @ESTRING:usracct.username: @by @ESTRING::(@uid=0)</pattern>
Couldn't it be changed to
<pattern>pam_unix(login:session): session opened for user @ESTRING:usracct.username: @by @ESTRING::(@uid=@ESTRING:usracct.uid:)@</pattern>
No, check my log samples I used to create the patterns. User "czanik" has uid=1000, still all the logs end with (uid=0): Oct 7 09:28:17 ubuntu login[4454]: pam_unix(login:session): session opened for user czanik by (uid=0) So it does not seem to have anything to do with the user's uid. Have a nice weekend! Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/