[syslog-ng] patterndb: collect login/logout samples
Balazs Scheidler
bazsi at balabit.hu
Thu Jul 15 22:35:37 CEST 2010
On Tue, 2010-07-13 at 17:12 -0600, Patrick H. wrote:
> Sent: Tuesday, July 13, 2010 5:25:13 AM
> From: Balazs Scheidler <bazsi at balabit.hu>
> To: syslog-ng at lists.balabit.hu
> Subject: [syslog-ng] patterndb: collect login/logout samples
> > Hi,
> >
> > After getting the generic patterndb policy into shape, I'd like to start
> > collecting log samples, preferably in a domain that is useful for
> > everyone.
> >
> > My target is at first is login/logout/login failure events. I'd start
> > with a generic Linux installation and try to cover all applications that
> > perform authentication.
> >
> I took a look at that pdb format and was lost. I'll probably learn it
> eventually, but would just make a mess of it if I tried now. But here
> are a lot of examples that havent been provided yet.
> All messages were generated from RHEL 5 servers
>
> ssh netgroup restricted login (user is valid):
> Jul 13 22:58:35 slider.dev.usa.net sshd[16563]: Invalid user phemmer
> from 165.212.225.134
> Jul 13 22:58:35 slider.dev.usa.net sshd[16563]: Failed none for
> invalid user phemmer from 165.212.225.134 port 49528 ssh2
we're using the 2nd log message to identify the login event, the first
is just additional information, that would need to be associated with
the 2nd via correllation, that we don't have right now.
The 2nd form however is covered with the already existing rules.
>
> ssh tcpwrapper (/etc/hosts.deny) restricted login:
> Jul 13 23:02:57 admin02.cms.usa.net sshd[7442]: refused connect from
> 165.212.15.221 (165.212.15.221)
This is interesting, however it is not a login event. It is more like a
firewall event (e.g. flowevt + secevt in the current schema model),
however port information is missing, so it doesn't contain the complete
tuple.
Anyway, it could perhaps be possible to categorize this under the
flowevt schema, but I don't want to open that can of worms yet :)
>
> -------------------
>
> su valid login:
> Jul 13 22:47:07 admin02.cms.usa.net su: pam_unix(su:session): session
> opened for user root by phemmer(uid=8129)
>
> Jul 13 22:54:27 vmware02 Hostd:
thanks, these are useful, I just need to get some sleep now. Will get
these marked up tomorrow.
--
Bazsi
More information about the syslog-ng
mailing list