[syslog-ng] patterndb: collect login/logout samples

Clayton Dukes cdukes at gmail.com
Thu Jul 15 21:54:36 CEST 2010 

Hey Guys,
I'm way behind on adoption of the whole patterndb thing, but if you're
looking for log samples, here's a good resource:
http://www.ossec.net/wiki/Log_Samples

______________________________________________________________

Clayton Dukes
______________________________________________________________


On Thu, Jul 15, 2010 at 3:26 PM, Balazs Scheidler <bazsi at balabit.hu> wrote:

> On Tue, 2010-07-13 at 12:37 -0700, Anton Chuvakin wrote:
> > > My target is at first is login/logout/login failure events. I'd start
> > > with a generic Linux installation and try to cover all applications
> that
> > > perform authentication.
> >
> > OK, so here are some:
> >
> > OS
> > Linux
> > SSH
> > bad pwd
> > Apr 22 16:56:39 support sshd[11354]: Failed password for root from
> > ::ffff:10.10.10.4 port 4027 ssh2
>
> this was covered by the already existing patterns, though it was nice to
> see that they indeed worked with IPv6. I've added this as an example to
> test the pattern with.
>
> > bad user
> > Apr 22 13:41:22 support sshd[11320]: Failed password for illegal user
> > admin from ::ffff:10.10.10.135 port 45629 ssh2
>
> this was a different incarnation of "invalid user" of the previous
> poster, probably this message was changed within sshd. Added as a
> separate rule.
>
> > FTP
> > bad pwd
> > Apr 23 14:07:49 support sshd[15069]: Failed password for ftp from
> ::ffff:10.10.10.171 port 35621 ssh2
> >
>
> already covered.
>
> > OS
> > HP-UX
> > bad pwd
> > Mar 12 08:24:51 server6 sshd[24742]: Failed password for john from
> 10.10.333.444 port 1420 ssh2
>
> also covered.
>
> >
> > Web
> > Apache
> > 401
> > 10.10.10.100 - - [23/Apr/2007:12:29:55 -0500] "GET /olu/adm/reg.html
> > HTTP/1.1" 401 485
> >
>
> I've a trouble with this one, login failures in Apache are logged to the
> error log, it seems to be a better source than scanning the access.log
> for the 401 status, especially as it is normal part of the protocol and
> not necessarily an immediate login failure.
>
> I don't see that access.log should be going through patterndb as it is
> already structured. Using a csv-parser to read that would probably be
> easier, probably good candidate for creating an SCL block to do just
> that.
>
> --
> Bazsi
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100715/f067cf5f/attachment.htm

More information about the syslog-ng mailing list