Hello, Attached is my list of sample log lines for console and telnet logins. I checked it with the login.pdb from http://git.balabit.hu/?p=bazsi/syslog-ng-patterndb.git;a=blob;f=access/login... and ran into some troubles. ( pdbtool match -p login.pdb -f ~/login.samples )The generic problem is, that many lines appear as "Unknown". Some more specific problems: - root telnet access failure was not found - root/user logins are not matched - invalid user on console generates multiple name value pairs It seems to me, that telnet and console logins generate mostly similar log lines, but not the same. For "invalid user" we should probably create name value pairs only for the line which appears in both cases: pam_unix(login:auth): authentication failure;[...] Or would we miss failure events if we don't create name value pairs for: FAILED LOGIN (@NUMBER::@) on @QSTRING::'@ FOR 'UNKNOWN', Authentication failure Looking at my log samples, in the accepted login lines the only difference is, that I don't have "LOGIN" before "(uid=0)" in the login related lines. There is either nothing or a user name. Changing it to: @ESTRING::(@uid=0) did me the trick, and 'pdbtools test --validate login.pdb' still ran without errors. Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/