[syslog-ng] login
Peter Czanik
czanik at balabit.hu
Thu Oct 7 12:35:32 CEST 2010
Hello,
Attached is my list of sample log lines for console and telnet logins. I
checked it with the login.pdb from
http://git.balabit.hu/?p=bazsi/syslog-ng-patterndb.git;a=blob;f=access/login.pdb;h=b3831a503bb8c10a443197c7f243689de2ef02f5;hb=HEAD
and ran into some troubles. ( pdbtool match -p login.pdb -f
~/login.samples )The generic problem is, that many lines appear as
"Unknown". Some more specific problems:
- root telnet access failure was not found
- root/user logins are not matched
- invalid user on console generates multiple name value pairs
It seems to me, that telnet and console logins generate mostly similar
log lines, but not the same. For "invalid user" we should probably
create name value pairs only for the line which appears in both cases:
pam_unix(login:auth): authentication failure;[...]
Or would we miss failure events if we don't create name value pairs for:
FAILED LOGIN (@NUMBER::@) on @QSTRING::'@ FOR 'UNKNOWN', Authentication
failure
Looking at my log samples, in the accepted login lines the only
difference is, that I don't have "LOGIN" before "(uid=0)" in the login
related lines. There is either nothing or a user name. Changing it to:
@ESTRING::(@uid=0)
did me the trick, and 'pdbtools test --validate login.pdb' still ran
without errors.
Bye,
--
Peter Czanik (CzP) <czanik at balabit.hu>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: login.samples
Url: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20101007/541e2b58/attachment.txt
More information about the syslog-ng
mailing list