[syslog-ng] vsftpd login/login failure events

Peter Czanik czanik at balabit.hu
Thu Sep 23 18:07:58 CEST 2010


Hello,

Attached are the vsftpd login/login failure events I found. There was no
trace of logout in the logs.

Question: what is the correct way dealing with the last rule? It has
"vsftpd" twice in it. I checked, and obviously only the last appearance
counts. Is it worth to define it twice?

linux-6y8u:/local/czanik/tmp/syslog-ng-patterndb/file-service # pdbtool
match -D -p vsftpd.pdb -P vsftpd -M "pam_listfile(bla1:auth): Refused
user root for service bla2"
Pattern matching part:
pam_listfile(@STRING:usracct.service=bla1@:auth): Refused user
@ESTRING:usracct.username=root at for service @ANYSTRING:usracct.service=bla2@
Matching part:
pam_listfile(bla1:auth): Refused user root for service bla2
Values:
MESSAGE=pam_listfile(bla1:auth): Refused user root for service bla2
PROGRAM=vsftpd
.classifier.class=system
.classifier.rule_id=7256a6d6-c720-11df-8a1d-000c298c9ba2
usracct.username=root
usracct.service=bla2
usracct.type=login
usracct.sessionid=
usracct.application=vsftpd
secevt.verdict=REJECT

Bye,

-- 
Peter Czanik (CzP) <czanik at balabit.hu>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: vsftpd.txt
Url: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100923/183097c5/attachment.txt 


More information about the syslog-ng mailing list