[syslog-ng] patterndb: collect login/logout samples

Balazs Scheidler bazsi at balabit.hu
Thu Jul 15 16:53:05 CEST 2010


On Wed, 2010-07-14 at 08:25 -0500, Martin Holste wrote:
> Here's SSH with a successful public key login and subsequent logout:
> 
> Jul  4 12:28:27 webserver0163 sshd[22134]: Accepted publickey for
> johnny from 10.10.85.208 port 50674 ssh2

This is covered already.

> Jul  4 12:28:28 webserver0163 sshd[22136]: Received disconnect from
> 10.10.85.208: 11: disconnected by user

I was using the pam_unix event for this, because that contained more
information, and I didn't want to have multiple logout events for the
same session.

pam_unix(sshd:session): session closed for user bazsi

Hmm.. although the more I think of it, this would possibly mean that on
non-PAM platforms this message is logged and the other isn't. Hmm, hmm.
Also, this one comes from the "parent" sshd with a different pid than
the login message, so no way to pair it with the login information.

I'd leave it as is, but let me know if you have a better idea.

-- 
Bazsi




More information about the syslog-ng mailing list