[syslog-ng] pure-ftpd

Peter Czanik czanik at balabit.hu
Fri Sep 24 16:17:19 CEST 2010 

Hello,

On 09/24/2010 03:34 PM, Martin Holste wrote:
> My votes:
>
>   
>> - many times there is just a question mark instead of the username.
>> Should it still be stored in a variable (useracct.username) or only for
>> the Logout lines, where it actually might get a useful value?
>>     
> I would vote not to store the question mark since I think the ? is
> equivalent to NULL, which is what would get logically stored anyway.
>
>   
>> - the "New connection" line has the same info (the IP address) twice.
>> How should it be handled?
>>     
> I'm not seeing the IP twice in the examples you provided.
It was broken into two lines due to automatic line breaks, but the next
is a single log line, where the remote IP address (192.168.2.142)
appears twice:
Sep 24 13:52:42 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New
connection from 192.168.2.142

>   If it is
> indeed there twice, I guess the question is what the tag name is for
> both.  If you weren't planning on having a tag for one of the two
> occurrences, then I would say skip that one since it wouldn't make
> sense without a tag name.
>   
As the address/fqdn is always the same here, belonging to the same
variable, useracct.device. So, storing it once is enough. Then the first
appearance could be discarded with at @QSTRING::@@)@ and the second one
stored with an @ANYSTRING:useracct.device@

>   
>> - how should Anonymous login be handled?
>> @QSTRING:useracct.username: @
>> vs.
>> <value name="usracct.username">Anonymous</value>
>>
>>     
> I think "Anonymous" should definitely get logged the same as any other
> user name, since you would want to see that on reports.
It would be stored both ways, I just would like to know, which is more
elegand, less resource hungry, etc.

>   Another
> thought would be to maybe switch it to the IP address, but I don't see
> how you would do that across log lines.
>   
Well, that would require some session tracking, but even then we are out
of luck, as session information is missing from the logs.
Bye,

-- 
Peter Czanik (CzP) <czanik at balabit.hu>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/

More information about the syslog-ng mailing list