[syslog-ng] patterndb: collect login/logout samples
Balazs Scheidler
bazsi at balabit.hu
Wed Jul 14 09:43:22 CEST 2010
On Tue, 2010-07-13 at 12:37 -0700, Anton Chuvakin wrote:
> > My target is at first is login/logout/login failure events. I'd start
> > with a generic Linux installation and try to cover all applications that
> > perform authentication.
>
> OK, so here are some:
>
> OS
> Linux
> SSH
> bad pwd
> Apr 22 16:56:39 support sshd[11354]: Failed password for root from
> ::ffff:10.10.10.4 port 4027 ssh2
> bad user
> Apr 22 13:41:22 support sshd[11320]: Failed password for illegal user
> admin from ::ffff:10.10.10.135 port 45629 ssh2
> FTP
> bad pwd
> Apr 23 14:07:49 support sshd[15069]: Failed password for ftp from
> ::ffff:10.10.10.171 port 35621 ssh2
>
> OS
> HP-UX
> bad pwd
> Mar 12 08:24:51 server6 sshd[24742]: Failed password for john from
> 10.10.333.444 port 1420 ssh2
>
> Web
> Apache
> 401
> 10.10.10.100 - - [23/Apr/2007:12:29:55 -0500] "GET /olu/adm/reg.html
> HTTP/1.1" 401 485
>
>
> Is login success next, hopefully?
>
Ahh, I might have put the wording wrong. I've meant login AND logout and
login failure.
So let those coming as well.
Great to receive these patterns. I really appreciate them. I hope to get
your submissions into shape hopefully today, but worst case this week.
--
Bazsi
More information about the syslog-ng
mailing list