[syslog-ng] proftpd, blog

Balazs Scheidler bazsi at balabit.hu
Wed Oct 6 16:03:20 CEST 2010


On Tue, 2010-10-05 at 16:50 +0200, Peter Czanik wrote:
> Hello,
> 
> Attached is a pre version of proftpd login/logout/failure events and the
> samples I used. As usual, new application, new problems.
> 
> The first problem is, that out of box proftpd uses its own log files
> instead of syslog. This poses a couple of problems:
> * it resembles syslog logs, but looking closer it is not
> * it does not have all the logs
> So for collecting logs I commented out the SystemLog line, so syslog is
> used, and also enabled anonymous ftp.
> 
> I could not find a perfect message suitable for 'logout'. There are two
> related lines:
> 
> proftpd[6848]: ubuntu (::ffff:192.168.2.179[::ffff:192.168.2.179]) - FTP
> session closed.
> But this is used any time a TCP/IP connection is closed, even when there
> was no actual login. And even if there was a login, it has no user
> information...
> 
> proftpd: pam_unix(proftpd:session): session closed for user czanik
> This one has the user name, but no information at all about the session
> or IP address.

do you have any identifying information that you could possibly use to
correllate the two entries?

PID for instance?

I've doubts doing correllation just for the sake of the logout event,
because the length of the session can be quite long. (so what timeout
would you specify for the correllation engine 1 day? 7 days?)

I'd use the PAM generated event (e.g. session closed for user ...) and
the IP address is not that important in this case, because it is present
in the login event. you'd only need to make sure that the login/logout
events can be correllated at query time somehow. e.g. usracct.sessionid
should be the same for the two messages.

> 
> What do you think? Could any of these be useful for creating name -
> value pairs?
> 
> Also: if I discard some messages, like opening/closing a session, is it
> enough if I handle it with one rule (omitting checking the end of
> message) or it should be handled with two separate messages?

I don't understand this.

> 
> And finally some self marketing, hoping that it might be useful some
> someone: please check my blog (URL in my signature), I have already have
> two blog posts about pattern writing. Please comment on them here on the
> mailing list, as if you find something problematic, it should be
> discussed, and without an additional blog comment login...

-- 
Bazsi



More information about the syslog-ng mailing list