Hello, While checking my logs with pdbtool, I ran into this log message: Sep 23 13:10:03 linux-6y8u sshd[21420]: error: PAM: Authentication failure for root from 192.168.2.52 The attached rule seems to find it correctly: HOST=linux-6y8u MESSAGE=error: PAM: Authentication failure for root from 192.168.2.52 PROGRAM=sshd PID=21420 LEGACY_MSGHDR=sshd[21420]: .classifier.class=system .classifier.rule_id=55ec76e0-c709-11df-b62d-000c298c9ba2 usracct.username=root usracct.device=192.168.2.52 usracct.type=login usracct.sessionid=21420 usracct.application=sshd secevt.verdict=REJECT Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
Hi, Are you sure that in this case sshd will not emit the already covered messages? Because if it does, then we'd be generating two login failures to a single message. I remember selecting only one of the failure messages, only the one which contained the most information. If this is the case, then this one should only be marked up for logcheck-style classification to mark that it's known and no name-value pairs or tags. If this is not the case, then that's a different matter that needs handling probably with the new correllation framework. On Thu, 2010-09-23 at 14:11 +0200, Peter Czanik wrote:
Hello,
While checking my logs with pdbtool, I ran into this log message:
Sep 23 13:10:03 linux-6y8u sshd[21420]: error: PAM: Authentication failure for root from 192.168.2.52
The attached rule seems to find it correctly:
HOST=linux-6y8u MESSAGE=error: PAM: Authentication failure for root from 192.168.2.52 PROGRAM=sshd PID=21420 LEGACY_MSGHDR=sshd[21420]: .classifier.class=system .classifier.rule_id=55ec76e0-c709-11df-b62d-000c298c9ba2 usracct.username=root usracct.device=192.168.2.52 usracct.type=login usracct.sessionid=21420 usracct.application=sshd secevt.verdict=REJECT
Bye,
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Bazsi
On 09/29/2010 10:57 AM, Balazs Scheidler wrote:
Hi,
Are you sure that in this case sshd will not emit the already covered messages?
Because if it does, then we'd be generating two login failures to a single message.
I remember selecting only one of the failure messages, only the one which contained the most information.
If this is the case, then this one should only be marked up for logcheck-style classification to mark that it's known and no name-value pairs or tags.
If this is not the case, then that's a different matter that needs handling probably with the new correllation framework.
I found this message on openSUSE, and no other related messages were in the log. So, in my case it was the only log about the login failure. Bye, CzP
On Thu, 2010-09-23 at 14:11 +0200, Peter Czanik wrote:
Hello,
While checking my logs with pdbtool, I ran into this log message:
Sep 23 13:10:03 linux-6y8u sshd[21420]: error: PAM: Authentication failure for root from 192.168.2.52
The attached rule seems to find it correctly:
HOST=linux-6y8u MESSAGE=error: PAM: Authentication failure for root from 192.168.2.52 PROGRAM=sshd PID=21420 LEGACY_MSGHDR=sshd[21420]: .classifier.class=system .classifier.rule_id=55ec76e0-c709-11df-b62d-000c298c9ba2 usracct.username=root usracct.device=192.168.2.52 usracct.type=login usracct.sessionid=21420 usracct.application=sshd secevt.verdict=REJECT
Bye,
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
participants (2)
-
Balazs Scheidler
-
Peter Czanik