My target is at first is login/logout/login failure events. I'd start with a generic Linux installation and try to cover all applications that perform authentication.
OK, so here are some: OS Linux SSH bad pwd Apr 22 16:56:39 support sshd[11354]: Failed password for root from ::ffff:10.10.10.4 port 4027 ssh2 bad user Apr 22 13:41:22 support sshd[11320]: Failed password for illegal user admin from ::ffff:10.10.10.135 port 45629 ssh2 FTP bad pwd Apr 23 14:07:49 support sshd[15069]: Failed password for ftp from ::ffff:10.10.10.171 port 35621 ssh2 OS HP-UX bad pwd Mar 12 08:24:51 server6 sshd[24742]: Failed password for john from 10.10.333.444 port 1420 ssh2 Web Apache 401 10.10.10.100 - - [23/Apr/2007:12:29:55 -0500] "GET /olu/adm/reg.html HTTP/1.1" 401 485 Is login success next, hopefully? -- Dr. Anton Chuvakin Site: http://www.chuvakin.org Blog: http://www.securitywarrior.org LinkedIn: http://www.linkedin.com/in/chuvakin Consulting: http://www.securitywarriorconsulting.com Twitter: @anton_chuvakin Google Voice: +1-510-771-7106