[syslog-ng] vsftpd login/login failure events
Peter Czanik
czanik at balabit.hu
Fri Sep 24 14:42:57 CEST 2010
Hello,
On 09/23/2010 06:07 PM, Peter Czanik wrote:
> Hello,
>
> Attached are the vsftpd login/login failure events I found. There was no
> trace of logout in the logs.
>
One more rule, for a situation not addressed yesterday: invalid username:
HOST=linux-6y8u
MESSAGE=gkr-pam: error looking up user information for: asdf
PROGRAM=vsftpd
PID=1
LEGACY_MSGHDR=vsftpd[1]:
.classifier.class=system
.classifier.rule_id=ac8c7834-c7d5-11df-bb3c-000c298c9ba2
usracct.username=asdf
usracct.type=login
usracct.sessionid=1
usracct.application=vsftpd
secevt.verdict=REJECT
<rule provider="patterndb"
id="ac8c7834-c7d5-11df-bb3c-000c298c9ba2" class="system">
<patterns>
<pattern>gkr-pam: error looking up user information for:
@ANYSTRING:usracct.username@</pattern>
</patterns>
<examples>
<example>
<test_message>gkr-pam: error looking up user information
for: asdf</test_message>
<test_values>
<test_value name="usracct.username">asdf</test_value>
</test_values>
</example>
</examples>
<values>
<value name="usracct.type">login</value>
<value name="usracct.sessionid">$PID</value>
<value name="usracct.application">$PROGRAM</value>
<value name="secevt.verdict">REJECT</value>
</values>
<tags>
<tag>usracct</tag>
<tag>secevt</tag>
</tags>
</rule>
Bye,
--
Peter Czanik (CzP) <czanik at balabit.hu>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
More information about the syslog-ng
mailing list