[syslog-ng] patterndb: collect login/logout samples

Balazs Scheidler bazsi at balabit.hu
Mon Jul 26 18:02:56 CEST 2010 

On Tue, 2010-07-13 at 17:12 -0600, Patrick H. wrote:
> Sent: Tuesday, July 13, 2010 5:25:13 AM
> From: Balazs Scheidler <bazsi at balabit.hu>
> To: syslog-ng at lists.balabit.hu 
> Subject: [syslog-ng] patterndb: collect login/logout samples 
> > Hi,
> > 
> > After getting the generic patterndb policy into shape, I'd like to start
> > collecting log samples, preferably in a domain that is useful for
> > everyone.
> > 
> > My target is at first is login/logout/login failure events. I'd start
> > with a generic Linux installation and try to cover all applications that
> > perform authentication.
> >   
> I took a look at that pdb format and was lost. I'll probably learn it
> eventually, but would just make a mess of it if I tried now. But here
> are a lot of examples that havent been provided yet.
> All messages were generated from RHEL 5 servers
> 
> ssh netgroup restricted login (user is valid):
> Jul 13 22:58:35 slider.dev.usa.net sshd[16563]: Invalid user phemmer
> from 165.212.225.134
> Jul 13 22:58:35 slider.dev.usa.net sshd[16563]: Failed none for
> invalid user phemmer from 165.212.225.134 port 49528 ssh2
> 
> ssh tcpwrapper (/etc/hosts.deny) restricted login:
> Jul 13 23:02:57 admin02.cms.usa.net sshd[7442]: refused connect from
> 165.212.15.221 (165.212.15.221)
> 
> -------------------
> 
> su valid login:
> Jul 13 22:47:07 admin02.cms.usa.net su: pam_unix(su:session): session
> opened for user root by phemmer(uid=8129)
> 
> su bad pass:
> Jul 13 22:31:07 admin02.cms.usa.net su: pam_unix(su:auth):
> authentication failure; logname=phemmer uid=8129 euid=0 tty=pts/13
> ruser=phemmer rhost=  user=root
> 
> su bad user generates no message
> 
> su log out:
> Jul 13 23:07:13 admin02.cms.usa.net su: pam_unix(su:session): session
> closed for user root
> 

Thanks for your submission.

I've added su events to:

commit 5e38f9dab2a89e8839829f7740485784accb3baa
Author: Balazs Scheidler <bazsi at balabit.hu>
Date:   Mon Jul 26 18:01:27 2010 +0200

    su: added su login/logout/failure rules
    
    This patch covers su on Linux with PAM.
    
    Submitted-By: Patrick H.


The others I still have to mark up. Anyone who could perhaps give a hand
at marking up the patterns that Patrick submitted? Would be appreciated.

-- 
Bazsi

More information about the syslog-ng mailing list