[syslog-ng] patterndb: collect login/logout samples
Balazs Scheidler
bazsi at balabit.hu
Mon Jul 26 18:02:56 CEST 2010
On Tue, 2010-07-13 at 17:12 -0600, Patrick H. wrote:
> Sent: Tuesday, July 13, 2010 5:25:13 AM
> From: Balazs Scheidler <bazsi at balabit.hu>
> To: syslog-ng at lists.balabit.hu
> Subject: [syslog-ng] patterndb: collect login/logout samples
> > Hi,
> >
> > After getting the generic patterndb policy into shape, I'd like to start
> > collecting log samples, preferably in a domain that is useful for
> > everyone.
> >
> > My target is at first is login/logout/login failure events. I'd start
> > with a generic Linux installation and try to cover all applications that
> > perform authentication.
> >
> I took a look at that pdb format and was lost. I'll probably learn it
> eventually, but would just make a mess of it if I tried now. But here
> are a lot of examples that havent been provided yet.
> All messages were generated from RHEL 5 servers
>
> ssh netgroup restricted login (user is valid):
> Jul 13 22:58:35 slider.dev.usa.net sshd[16563]: Invalid user phemmer
> from 165.212.225.134
> Jul 13 22:58:35 slider.dev.usa.net sshd[16563]: Failed none for
> invalid user phemmer from 165.212.225.134 port 49528 ssh2
>
> ssh tcpwrapper (/etc/hosts.deny) restricted login:
> Jul 13 23:02:57 admin02.cms.usa.net sshd[7442]: refused connect from
> 165.212.15.221 (165.212.15.221)
>
> -------------------
>
> su valid login:
> Jul 13 22:47:07 admin02.cms.usa.net su: pam_unix(su:session): session
> opened for user root by phemmer(uid=8129)
>
> su bad pass:
> Jul 13 22:31:07 admin02.cms.usa.net su: pam_unix(su:auth):
> authentication failure; logname=phemmer uid=8129 euid=0 tty=pts/13
> ruser=phemmer rhost= user=root
>
> su bad user generates no message
>
> su log out:
> Jul 13 23:07:13 admin02.cms.usa.net su: pam_unix(su:session): session
> closed for user root
>
Thanks for your submission.
I've added su events to:
commit 5e38f9dab2a89e8839829f7740485784accb3baa
Author: Balazs Scheidler <bazsi at balabit.hu>
Date: Mon Jul 26 18:01:27 2010 +0200
su: added su login/logout/failure rules
This patch covers su on Linux with PAM.
Submitted-By: Patrick H.
The others I still have to mark up. Anyone who could perhaps give a hand
at marking up the patterns that Patrick submitted? Would be appreciated.
--
Bazsi
More information about the syslog-ng
mailing list