[syslog-ng] patterndb: collect login/logout samples

Balazs Scheidler bazsi at balabit.hu
Thu Jul 15 21:26:11 CEST 2010


On Tue, 2010-07-13 at 12:37 -0700, Anton Chuvakin wrote:
> > My target is at first is login/logout/login failure events. I'd start
> > with a generic Linux installation and try to cover all applications that
> > perform authentication.
> 
> OK, so here are some:
> 
> OS
> Linux
> SSH
> bad pwd
> Apr 22 16:56:39 support sshd[11354]: Failed password for root from
> ::ffff:10.10.10.4 port 4027 ssh2

this was covered by the already existing patterns, though it was nice to
see that they indeed worked with IPv6. I've added this as an example to
test the pattern with.

> bad user
> Apr 22 13:41:22 support sshd[11320]: Failed password for illegal user
> admin from ::ffff:10.10.10.135 port 45629 ssh2

this was a different incarnation of "invalid user" of the previous
poster, probably this message was changed within sshd. Added as a
separate rule.

> FTP
> bad pwd
> Apr 23 14:07:49 support sshd[15069]: Failed password for ftp from ::ffff:10.10.10.171 port 35621 ssh2
> 

already covered.

> OS
> HP-UX
> bad pwd
> Mar 12 08:24:51 server6 sshd[24742]: Failed password for john from 10.10.333.444 port 1420 ssh2

also covered.

> 
> Web
> Apache
> 401
> 10.10.10.100 - - [23/Apr/2007:12:29:55 -0500] "GET /olu/adm/reg.html
> HTTP/1.1" 401 485
> 

I've a trouble with this one, login failures in Apache are logged to the
error log, it seems to be a better source than scanning the access.log
for the 401 status, especially as it is normal part of the protocol and
not necessarily an immediate login failure.

I don't see that access.log should be going through patterndb as it is
already structured. Using a csv-parser to read that would probably be
easier, probably good candidate for creating an SCL block to do just
that.

-- 
Bazsi




More information about the syslog-ng mailing list