[syslog-ng] proftpd, blog
Peter Czanik
czanik at balabit.hu
Tue Oct 5 16:50:12 CEST 2010
Hello,
Attached is a pre version of proftpd login/logout/failure events and the
samples I used. As usual, new application, new problems.
The first problem is, that out of box proftpd uses its own log files
instead of syslog. This poses a couple of problems:
* it resembles syslog logs, but looking closer it is not
* it does not have all the logs
So for collecting logs I commented out the SystemLog line, so syslog is
used, and also enabled anonymous ftp.
I could not find a perfect message suitable for 'logout'. There are two
related lines:
proftpd[6848]: ubuntu (::ffff:192.168.2.179[::ffff:192.168.2.179]) - FTP
session closed.
But this is used any time a TCP/IP connection is closed, even when there
was no actual login. And even if there was a login, it has no user
information...
proftpd: pam_unix(proftpd:session): session closed for user czanik
This one has the user name, but no information at all about the session
or IP address.
What do you think? Could any of these be useful for creating name -
value pairs?
Also: if I discard some messages, like opening/closing a session, is it
enough if I handle it with one rule (omitting checking the end of
message) or it should be handled with two separate messages?
And finally some self marketing, hoping that it might be useful some
someone: please check my blog (URL in my signature), I have already have
two blog posts about pattern writing. Please comment on them here on the
mailing list, as if you find something problematic, it should be
discussed, and without an additional blog comment login...
Bye,
--
Peter Czanik (CzP) <czanik at balabit.hu>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: proftpd.samples
Url: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20101005/208e6564/attachment.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: proftpd.pdb
Type: application/vnd.palm
Size: 8011 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20101005/208e6564/attachment.bin
More information about the syslog-ng
mailing list