[syslog-ng] patterndb: collect login/logout samples
Balazs Scheidler
bazsi at balabit.hu
Thu Jul 15 16:56:41 CEST 2010
On Tue, 2010-07-13 at 12:47 -0700, Anton Chuvakin wrote:
> > My target is at first is login/logout/login failure events. I'd start
> > with a generic Linux installation and try to cover all applications that
> > perform authentication.
>
> Some logouts + session ended's too:
>
> Jul 11 08:09:01 anton-linux CRON[24475]: pam_unix(cron:session):
> session closed for user root
This is a cron message, not an sshd message, so not strictly a user
login/logout, though it could be interpreted as such.
> Apr 28 03:34:36 esx1 sshd(pam_unix)[9032]: session closed for user anton
>
gee, reusing the program field, just to make it more difficult. This
means that we'd need several patterns for the program name field. Not
difficult, just another reason to adjust the patterndb format.
> Just for fun:
>
> VMWare ESX login success
>
> Apr 27 01:01:12 esx1 /usr/lib/vmware/hostd/vmware-hostd[1479]:
> Accepted password for user root from 127.0.0.1
Nice.
Thanks a lot, I'll add this somewhat later. I got distracted by other
things.
--
Bazsi
More information about the syslog-ng
mailing list