[syslog-ng] patterndb: collect login/logout samples

Balazs Scheidler bazsi at balabit.hu
Thu Jul 15 22:26:04 CEST 2010 

On Thu, 2010-07-15 at 16:56 +0200, Balazs Scheidler wrote:
> On Tue, 2010-07-13 at 12:47 -0700, Anton Chuvakin wrote:
> > > My target is at first is login/logout/login failure events. I'd start
> > > with a generic Linux installation and try to cover all applications that
> > > perform authentication.
> > 
> > Some logouts + session ended's too:
> > 
> > Jul 11 08:09:01 anton-linux CRON[24475]: pam_unix(cron:session):
> > session closed for user root
> 
> This is a cron message, not an sshd message, so not strictly a user
> login/logout, though it could be interpreted as such.
> 
> > Apr 28 03:34:36 esx1 sshd(pam_unix)[9032]: session closed for user anton
> > 
> 
> gee, reusing the program field, just to make it more difficult. This
> means that we'd need several patterns for the program name field. Not
> difficult, just another reason to adjust the patterndb format.

Talked to Marci about this one. patterndb seems to do a prefix match, so
our 'sshd' rule will match just fine. Anyway, the ability to specify
multiple patterns for the ruleset will probably be needed.

Also, if the pam_unix part is not in the message, but rather in the
program name field, then we need to add this as a separate rule. Here it
comes:

+      <rule provider="patterndb" id="a2f96b71-6c5e-413e-92c2-75e9d66c0119" class="system">
+        <patterns>
+          <pattern>session closed for user @ANYSTRING:usracct.username:@</pattern>
+        </patterns>
+        <examples>
+          <example>
+           <test_message program="sshd(pam_unix)">session closed for user bazsi</test_message>
+           <test_values>
+            <test_value name="usracct.username">bazsi</test_value>
+           </test_values>
+          </example>
+        </examples>
+        <values>
+          <value name="usracct.type">logout</value>
+          <value name="usracct.sessionid">$PID</value>
+          <value name="usracct.application">$PROGRAM</value>
+        </values>
+        <tags>
+          <tag>usracct</tag>
+        </tags>
+      </rule>


> 
> > Just for fun:
> > 
> > VMWare ESX login success
> > 
> > Apr 27 01:01:12 esx1 /usr/lib/vmware/hostd/vmware-hostd[1479]:
> > Accepted password for user root from 127.0.0.1
> 
> Nice.
> 
> Thanks a lot, I'll add this somewhat later. I got distracted by other
> things.
> 

I've added this too to vm/vmware-esx.pdb

Do you perhaps have the logout & login failure messages for this?

Thanks.

-- 
Bazsi

More information about the syslog-ng mailing list