[syslog-ng] one more sshd rule
Balazs Scheidler
bazsi at balabit.hu
Wed Sep 29 10:57:18 CEST 2010
Hi,
Are you sure that in this case sshd will not emit the already covered
messages?
Because if it does, then we'd be generating two login failures to a
single message.
I remember selecting only one of the failure messages, only the one
which contained the most information.
If this is the case, then this one should only be marked up for
logcheck-style classification to mark that it's known and no name-value
pairs or tags.
If this is not the case, then that's a different matter that needs
handling probably with the new correllation framework.
On Thu, 2010-09-23 at 14:11 +0200, Peter Czanik wrote:
> Hello,
>
> While checking my logs with pdbtool, I ran into this log message:
>
> Sep 23 13:10:03 linux-6y8u sshd[21420]: error: PAM: Authentication
> failure for root from 192.168.2.52
>
> The attached rule seems to find it correctly:
>
> HOST=linux-6y8u
> MESSAGE=error: PAM: Authentication failure for root from 192.168.2.52
> PROGRAM=sshd
> PID=21420
> LEGACY_MSGHDR=sshd[21420]:
> .classifier.class=system
> .classifier.rule_id=55ec76e0-c709-11df-b62d-000c298c9ba2
> usracct.username=root
> usracct.device=192.168.2.52
> usracct.type=login
> usracct.sessionid=21420
> usracct.application=sshd
> secevt.verdict=REJECT
>
> Bye,
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
--
Bazsi
More information about the syslog-ng
mailing list