[syslog-ng] patterndb: collect login/logout samples

Balazs Scheidler bazsi at balabit.hu
Thu Jul 15 15:28:59 CEST 2010 

Hi,

On Tue, 2010-07-13 at 15:29 +0200, Siem Korteweg wrote:
> Hi,
> 
> Not sure whether the following should be caught.
> 
> This message is displayed when an unknown user attempts to log in:
> 
>    Jul 13 14:29:34 centos53 sshd[12779]: Failed password for invalid user
> xxxx from 127.0.0.1 port 40102 ssh2
> 
> When the DenyGroups and/or DenyUsers keywords for sshd are used to restrict
> access (for users in LDAP), the following messages are displayed for users
> that are not allowed to login:
> 
>    Jul 13 15:05:54 centos53 sshd[13031]: User siem from centos53 not allowed
> because listed in DenyUsers
>    Jul 13 15:05:58 centos53 sshd[13031]: Failed password for invalid user
> siem from 127.0.0.1 port 53618 ssh2
> 
> and
> 
>    Jul 13 15:09:15 centos53 sshd[13061]: User siem from centos53 not allowed
> because a group is listed in DenyGroups
>    Jul 13 15:09:22 centos53 sshd[13061]: Failed password for invalid user
> siem from 127.0.0.1 port 37397 ssh2

Are both of these logged when such an event occurs? Because if it does,
then a single pattern (the 2nd line) covers both, right?

> 
> When the AllowGroups and/or AllowUsers keywords are used, the following
> messages are displayed:
> 
>    Jul 13 15:22:01 centos53 sshd[13155]: User siem from centos53 not allowed
> because not listed in AllowUsers
>    Jul 13 15:22:05 centos53 sshd[13155]: Failed password for invalid user
> siem from 127.0.0.1 port 49085 ssh2
> 
> and
> 
>    Jul 13 15:23:48 centos53 sshd[13180]: User siem from centos53 not allowed
> because none of user's groups are listed in AllowGroups
>    Jul 13 15:23:53 centos53 sshd[13180]: Failed password for invalid user
> siem from 127.0.0.1 port 33481 ssh2

Again, from the login/logout/failure point of view, the "invalid user"
log message grasps the event of an login failure.

The other two messages contain additional details about the upcoming
message though but in order to connect the two an additional
correllation step would need to be performed, which is not in scope
right now.

Here's the pattern I've added based on your sample:

+      <rule provider="patterndb" id="1a8891ff-6b86-4da5-b937-b789c76ef353" class="system">
+        <patterns>
+          <pattern>Failed @ESTRING:usracct.authmethod: @for invalid user @ESTRING:usracct.username: @from @ESTRING:usracct.device: @port @ESTRING:: @@ANYSTRING:usracct.service@</pattern>
+        </patterns>
+        <examples>
+          <example>
+           <test_message program="sshd">Failed password for invalid user siem from 127.0.0.1 port 37397 ssh2</test_message>
+           <test_values>
+            <test_value name="usracct.username">siem</test_value>
+            <test_value name="usracct.authmethod">password</test_value>
+            <test_value name="usracct.device">127.0.0.1</test_value>
+            <test_value name="usracct.service">ssh2</test_value>
+           </test_values>
+          </example>
+        </examples>
+        <values>
+          <value name="usracct.type">login</value>
+          <value name="usracct.sessionid">$PID</value>
+          <value name="usracct.application">$PROGRAM</value>
+          <value name="secevt.verdict">REJECT</value>
+        </values>
+        <tags>
+          <tag>usracct</tag>
+          <tag>secevt</tag>
+        </tags>
+      </rule>


-- 
Bazsi

More information about the syslog-ng mailing list