[syslog-ng] login.pdb reworked

Peter Czanik czanik at balabit.hu
Fri Oct 29 21:46:29 CEST 2010


Hello,

On 10/29/2010 04:32 PM, Martin Holste wrote:
> Won't the user login pattern only catch root logins because of uid=0?
>
> <pattern>pam_unix(login:session): session opened for user
> @ESTRING:usracct.username: @by @ESTRING::(@uid=0)</pattern>
>
> Couldn't it be changed to
>
> <pattern>pam_unix(login:session): session opened for user
> @ESTRING:usracct.username: @by
> @ESTRING::(@uid=@ESTRING:usracct.uid:)@</pattern>
>   
No, check my log samples I used to create the patterns. User "czanik"
has uid=1000, still all the logs end with (uid=0):

Oct  7 09:28:17 ubuntu login[4454]: pam_unix(login:session): session
opened for user czanik by (uid=0)

So it does not seem to have anything to do with the user's uid.

Have a nice weekend! Bye,

-- 
Peter Czanik (CzP) <czanik at balabit.hu>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: login2.samples
Url: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20101029/3e4abc3f/attachment-0001.txt 


More information about the syslog-ng mailing list