[syslog-ng] patterndb: collect login/logout samples

Wed Jul 14 15:25:55 CEST 2010

Here's SSH with a successful public key login and subsequent logout:

Jul  4 12:28:27 webserver0163 sshd[22134]: Accepted publickey for
johnny from 10.10.85.208 port 50674 ssh2
Jul  4 12:28:28 webserver0163 sshd[22136]: Received disconnect from
10.10.85.208: 11: disconnected by user

On Wed, Jul 14, 2010 at 2:43 AM, Balazs Scheidler <bazsi at balabit.hu> wrote:
> On Tue, 2010-07-13 at 12:37 -0700, Anton Chuvakin wrote:
>> > My target is at first is login/logout/login failure events. I'd start
>> > with a generic Linux installation and try to cover all applications that
>> > perform authentication.
>>
>> OK, so here are some:
>>
>> OS
>> Linux
>> SSH
>> bad pwd
>> Apr 22 16:56:39 support sshd[11354]: Failed password for root from
>> ::ffff:10.10.10.4 port 4027 ssh2
>> bad user
>> Apr 22 13:41:22 support sshd[11320]: Failed password for illegal user
>> admin from ::ffff:10.10.10.135 port 45629 ssh2
>> FTP
>> bad pwd
>> Apr 23 14:07:49 support sshd[15069]: Failed password for ftp from
>> ::ffff:10.10.10.171 port 35621 ssh2
>>
>> OS
>> HP-UX
>> bad pwd
>> Mar 12 08:24:51 server6 sshd[24742]: Failed password for john from
>> 10.10.333.444 port 1420 ssh2
>>
>> Web
>> Apache
>> 401
>> 10.10.10.100 - - [23/Apr/2007:12:29:55 -0500] "GET /olu/adm/reg.html
>> HTTP/1.1" 401 485
>>
>>
>> Is login success next, hopefully?
>>
>
> Ahh, I might have put the wording wrong. I've meant login AND logout and
> login failure.
>
> So let those coming as well.
>
> Great to receive these patterns. I really appreciate them. I hope to get
> your submissions into shape hopefully today, but worst case this week.
>
>
> --
> Bazsi
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>