[syslog-ng] login.pdb reworked
Martin Holste
mcholste at gmail.com
Fri Oct 29 16:32:53 CEST 2010
Won't the user login pattern only catch root logins because of uid=0?
<pattern>pam_unix(login:session): session opened for user
@ESTRING:usracct.username: @by @ESTRING::(@uid=0)</pattern>
Couldn't it be changed to
<pattern>pam_unix(login:session): session opened for user
@ESTRING:usracct.username: @by
@ESTRING::(@uid=@ESTRING:usracct.uid:)@</pattern>
On Fri, Oct 29, 2010 at 7:45 AM, Peter Czanik <czanik at balabit.hu> wrote:
> Hello,
>
> Attached is a new version of login.pdb (called login2.pdb). It has
> patterns for many console/terminal/telnet login/logout events. This
> version should generate one set of name value pairs for each event, and
> only one.
>
> If you use console/login/telnet for logins, plese give it a try and let
> me know, how it works for you. I found, that there are some slight
> variations among messages even between different Ubuntu versions, so I'd
> like to see, how these patterns work on a larger set of Linux
> distributions, UNIX revisions.
>
> Thank you for your help,
> --
>
> Peter Czanik (CzP) <czanik at balabit.hu>
> BalaBit IT Security / syslog-ng upstream
> http://czanik.blogs.balabit.com/
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
More information about the syslog-ng
mailing list