[syslog-ng] patterndb: collect login/logout samples
Patrick H.
syslogng at feystorm.net
Wed Jul 14 01:12:02 CEST 2010
Sent: Tuesday, July 13, 2010 5:25:13 AM
From: Balazs Scheidler <bazsi at balabit.hu>
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] patterndb: collect login/logout samples
> Hi,
>
> After getting the generic patterndb policy into shape, I'd like to start
> collecting log samples, preferably in a domain that is useful for
> everyone.
>
> My target is at first is login/logout/login failure events. I'd start
> with a generic Linux installation and try to cover all applications that
> perform authentication.
>
I took a look at that pdb format and was lost. I'll probably learn it
eventually, but would just make a mess of it if I tried now. But here
are a lot of examples that havent been provided yet.
All messages were generated from RHEL 5 servers
ssh netgroup restricted login (user is valid):
Jul 13 22:58:35 slider.dev.usa.net sshd[16563]: Invalid user phemmer
from 165.212.225.134
Jul 13 22:58:35 slider.dev.usa.net sshd[16563]: Failed none for invalid
user phemmer from 165.212.225.134 port 49528 ssh2
ssh tcpwrapper (/etc/hosts.deny) restricted login:
Jul 13 23:02:57 admin02.cms.usa.net sshd[7442]: refused connect from
165.212.15.221 (165.212.15.221)
-------------------
su valid login:
Jul 13 22:47:07 admin02.cms.usa.net su: pam_unix(su:session): session
opened for user root by phemmer(uid=8129)
su bad pass:
Jul 13 22:31:07 admin02.cms.usa.net su: pam_unix(su:auth):
authentication failure; logname=phemmer uid=8129 euid=0 tty=pts/13
ruser=phemmer rhost= user=root
su bad user generates no message
su log out:
Jul 13 23:07:13 admin02.cms.usa.net su: pam_unix(su:session): session
closed for user root
-------------------
sudo valid login:
Jul 13 22:46:46 : phemmer : HOST=admin02 : TTY=pts/13 ;
PWD=/home/phemmer ; USER=root ; COMMAND=/bin/ls
sudo bad pass:
Jul 13 22:33:53 admin02.cms.usa.net sudo: pam_unix(sudo:auth):
authentication failure; logname=phemmer uid=0 euid=0 tty=/dev/pts/13
ruser= rhost= user=phemmer
Jul 13 22:34:05 admin02.cms.usa.net sudo: phemmer : 3 incorrect
password attempts ; TTY=pts/13 ; PWD=/home/phemmer ; USER=root ;
COMMAND=/bin/ls
sudo bad user:
Jul 13 22:41:13 admin02.cms.usa.net sudo: phemmer : no passwd entry for
asdfh!
-------------------
serial console valid login:
Jul 13 22:46:02 admin02.cms.usa.net login: pam_unix(login:session):
session opened for user root by LOGIN(uid=0)
Jul 13 22:46:02 admin02.cms.usa.net login: DIALUP AT ttyS1 BY root
Jul 13 22:46:02 admin02.cms.usa.net login: ROOT LOGIN ON ttyS1
serial console bad pass:
Jul 13 22:38:34 admin02.cms.usa.net login: FAILED LOGIN 1 FROM (null)
FOR root, Authentication failure
serial console bad user:
Jul 13 22:38:56 admin02.cms.usa.net login: pam_unix(login:auth): check
pass; user unknown
Jul 13 22:38:56 admin02.cms.usa.net login: pam_unix(login:auth):
authentication failure; logname=LOGIN uid=0 euid=0 tty=ttyS1 ruser= rhost=
Jul 13 22:38:56 admin02.cms.usa.net login: pam_succeed_if(login:auth):
error retrieving information about user asdfjh
Jul 13 22:38:57 admin02.cms.usa.net login: FAILED LOGIN 2 FROM (null)
FOR asdfjh, User not known to the underlying authentication module
serial console logout:
Jul 13 23:06:29 admin02.cms.usa.net login: pam_unix(login:session):
session closed for user root
-------------------
physical console valid login:
Jul 13 22:42:54 localhost login: ROOT LOGIN ON tty1
physical console bad pass:
Jul 13 22:44:30 localhost login: pam_unix(login:auth): authentication
failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=root
Jul 13 22:44:32 localhost login: FAILED LOGIN 1 FROM (null) FOR root,
Authentication failure
physical console bad user:
Jul 13 22:44:57 localhost login: pam_unix(login:auth): check pass; user
unknown
Jul 13 22:44:57 localhost login: pam_unix(login:auth): authentication
failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Jul 13 22:44:57 localhost login: pam_succeed_if(login:auth): error
retrieving information about user shdga
Jul 13 22:44:59 localhost login: FAILED LOGIN 2 FROM (null) FOR shdga,
User not known to the underlying authentication module
physical console logout:
Jul 13 23:08:28 localhost login: pam_unix(login:session): session closed
for user root
-------------------
VMware server messages are the exact same for both remote console
application and web UI.
vmware server valid login:
Jul 13 22:53:49 vmware02 Hostd: Accepted password for user root from
127.0.0.1
Jul 13 22:53:49 vmware02 Hostd: [2010-07-13 22:53:49.705 'Vimsvc'
1098422592 info] [Auth]: User root
Jul 13 22:53:49 vmware02 Hostd: [2010-07-13 22:53:49.706 'ha-eventmgr'
1098422592 info] Event 3 : User root at 127.0.0.1 logged in
Jul 13 22:53:49 vmware02 Hostd: [2010-07-13 22:53:49.706
'PropertyProvider' 1098422592 verbose] RecordOp ASSIGN: latestEvent,
ha-eventmgr
Jul 13 22:53:49 vmware02 Hostd: [2010-07-13 22:53:49.706
'PropertyProvider' 1098422592 verbose] RecordOp ADD:
sessionList["52efdf57-6fa9-a095-a7d3-48ef63421e73"], ha-sessionmgr
vmware server bad user:
Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.677 'ha-eventmgr'
47473126103232 info] Event 2 : Failed login attempt for asdf at 127.0.0.1
Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.677
'PropertyProvider' 47473126103232 verbose] RecordOp ASSIGN: latestEvent,
ha-eventmgr
Jul 13 22:53:15 vmware02 Hostd: Rejected password for user asdf from
127.0.0.1
Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.677 'Vmomi'
47473126103232 info] Activation [N5Vmomi10ActivationE:0xe5eedc0] :
Invoke done [login] on [vim.SessionManager:ha-sessionmgr]
Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.678 'Vmomi'
47473126103232 info] Throw vim.fault.InvalidLogin
Jul 13 22:53:15 vmware02 Hostd: [2010-07-13 22:53:15.678 'Vmomi'
47473126103232 info] Result:
Jul 13 22:53:15 vmware02 Hostd: (vim.fault.InvalidLogin) {
dynamicType = <unset>, msg = "" }
Jul 13 22:53:15 vmware02 Hostd:
vmware server bad pass:
Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.215 'ha-eventmgr'
1086609728 info] Event 1 : Failed login attempt for root at 127.0.0.1
Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.215
'PropertyProvider' 1086609728 verbose] RecordOp ASSIGN: latestEvent,
ha-eventmgr
Jul 13 22:51:47 vmware02 Hostd: Rejected password for user root from
127.0.0.1
Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.216 'Vmomi'
1086609728 info] Activation [N5Vmomi10ActivationE:0xe5e3a80] : Invoke
done [login] on [vim.SessionManager:ha-sessionmgr]
Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.216 'Vmomi'
1086609728 info] Throw vim.fault.InvalidLogin
Jul 13 22:51:47 vmware02 Hostd: [2010-07-13 22:51:47.216 'Vmomi'
1086609728 info] Result:
Jul 13 22:51:47 vmware02 Hostd: (vim.fault.InvalidLogin) {
dynamicType = <unset>, msg = "" }
Jul 13 22:51:47 vmware02 Hostd:
vmware server no permissions:
Jul 13 22:54:27 vmware02 Hostd: Accepted password for user phemmer from
127.0.0.1
Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.905 'Vimsvc'
1098688832 info] [Auth]: User phemmer
Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.906 'ha-eventmgr'
1098688832 info] Event 4 : Failed to login user phemmer at 127.0.0.1: No
permission
Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.906
'PropertyProvider' 1098688832 verbose] RecordOp ASSIGN: latestEvent,
ha-eventmgr
Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.906 'Vmomi'
1098688832 info] Activation [N5Vmomi10ActivationE:0xe86bd80] : Invoke
done [login] on [vim.SessionManager:ha-sessionmgr]
Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.907 'Vmomi'
1098688832 info] Throw vim.fault.NoPermission
Jul 13 22:54:27 vmware02 Hostd: [2010-07-13 22:54:27.907 'Vmomi'
1098688832 info] Result:
Jul 13 22:54:27 vmware02 Hostd: (vim.fault.NoPermission) {
dynamicType = <unset>, object = 'vim.Folder:ha-folder-root',
privilegeId = "System.View", msg = "" }
Jul 13 22:54:27 vmware02 Hostd:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100713/0f46fc69/attachment.htm
More information about the syslog-ng
mailing list