[syslog-ng] login.pdb reworked
Matthew Hall
mhall at mhcomputing.net
Sat Oct 30 00:05:46 CEST 2010
On Fri, Oct 29, 2010 at 09:46:29PM +0200, Peter Czanik wrote:
> On 10/29/2010 04:32 PM, Martin Holste wrote:
> > Won't the user login pattern only catch root logins because of uid=0?
> >
> > <pattern>pam_unix(login:session): session opened for user
> > @ESTRING:usracct.username: @by @ESTRING::(@uid=0)</pattern>
> >
> > Couldn't it be changed to
> >
> > <pattern>pam_unix(login:session): session opened for user
> > @ESTRING:usracct.username: @by
> > @ESTRING::(@uid=@ESTRING:usracct.uid:)@</pattern>
> >
> No, check my log samples I used to create the patterns. User "czanik"
> has uid=1000, still all the logs end with (uid=0):
>
> Oct 7 09:28:17 ubuntu login[4454]: pam_unix(login:session): session
> opened for user czanik by (uid=0)
The reason for this is because the (uid=0) is indicating the uid of the
user who opened the session. Meaning that the login was created by
something running as the root user uid 0. So in reality the pattern
should capture this other variable somewhere, for people who have
daemons which are non-root.
> Peter Czanik (CzP) <czanik at balabit.hu>
Matthew Hall.
More information about the syslog-ng
mailing list