[syslog-ng] patterndb: collect login/logout samples

Martin Holste mcholste at gmail.com
Tue Jul 13 17:35:34 CEST 2010


Here's one for an Apache basic auth failure on SLES 10 with the
default Apache log format:

[Mon Jul 12 08:55:22 2010] [error] [client 10.10.66.7] user xxxx:
authentication failure for "/": Password Mismatch

On Tue, Jul 13, 2010 at 10:01 AM, Balazs Scheidler <bazsi at balabit.hu> wrote:
> Hi,
>
> Thanks, this information is very useful. I'll add them as patterndb
> rules into the current set.
>
> btw: it would probably also make sense to mark the status of individual
> rulesets, as the current version is really experimental.
>
> On Tue, 2010-07-13 at 15:29 +0200, Siem Korteweg wrote:
>> Hi,
>>
>> Not sure whether the following should be caught.
>>
>> This message is displayed when an unknown user attempts to log in:
>>
>>    Jul 13 14:29:34 centos53 sshd[12779]: Failed password for invalid user
>> xxxx from 127.0.0.1 port 40102 ssh2
>>
>> When the DenyGroups and/or DenyUsers keywords for sshd are used to restrict
>> access (for users in LDAP), the following messages are displayed for users
>> that are not allowed to login:
>>
>>    Jul 13 15:05:54 centos53 sshd[13031]: User siem from centos53 not allowed
>> because listed in DenyUsers
>>    Jul 13 15:05:58 centos53 sshd[13031]: Failed password for invalid user
>> siem from 127.0.0.1 port 53618 ssh2
>>
>> and
>>
>>    Jul 13 15:09:15 centos53 sshd[13061]: User siem from centos53 not allowed
>> because a group is listed in DenyGroups
>>    Jul 13 15:09:22 centos53 sshd[13061]: Failed password for invalid user
>> siem from 127.0.0.1 port 37397 ssh2
>>
>> When the AllowGroups and/or AllowUsers keywords are used, the following
>> messages are displayed:
>>
>>    Jul 13 15:22:01 centos53 sshd[13155]: User siem from centos53 not allowed
>> because not listed in AllowUsers
>>    Jul 13 15:22:05 centos53 sshd[13155]: Failed password for invalid user
>> siem from 127.0.0.1 port 49085 ssh2
>>
>> and
>>
>>    Jul 13 15:23:48 centos53 sshd[13180]: User siem from centos53 not allowed
>> because none of user's groups are listed in AllowGroups
>>    Jul 13 15:23:53 centos53 sshd[13180]: Failed password for invalid user
>> siem from 127.0.0.1 port 33481 ssh2
>
> --
> Bazsi
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>


More information about the syslog-ng mailing list