[syslog-ng] login.pdb reworked

Matthew Hall mhall at mhcomputing.net
Sat Oct 30 00:05:46 CEST 2010


On Fri, Oct 29, 2010 at 09:46:29PM +0200, Peter Czanik wrote:
> On 10/29/2010 04:32 PM, Martin Holste wrote:
> > Won't the user login pattern only catch root logins because of uid=0?
> >
> > <pattern>pam_unix(login:session): session opened for user
> > @ESTRING:usracct.username: @by @ESTRING::(@uid=0)</pattern>
> >
> > Couldn't it be changed to
> >
> > <pattern>pam_unix(login:session): session opened for user
> > @ESTRING:usracct.username: @by
> > @ESTRING::(@uid=@ESTRING:usracct.uid:)@</pattern>
> >   
> No, check my log samples I used to create the patterns. User "czanik"
> has uid=1000, still all the logs end with (uid=0):
> 
> Oct  7 09:28:17 ubuntu login[4454]: pam_unix(login:session): session
> opened for user czanik by (uid=0)

The reason for this is because the (uid=0) is indicating the uid of the 
user who opened the session. Meaning that the login was created by 
something running as the root user uid 0. So in reality the pattern 
should capture this other variable somewhere, for people who have 
daemons which are non-root.

> Peter Czanik (CzP) <czanik at balabit.hu>

Matthew Hall.


More information about the syslog-ng mailing list