[syslog-ng] pure-ftpd patterns

Peter Czanik czanik at balabit.hu
Thu Sep 30 16:43:32 CEST 2010


Hello,

Attached are the pure-ftpd login/logout/failure patterns and the sample
file I used. Some notes:
- logouts, where username is "?" are not tagged, as these just mark that
a TCP/IP connection is teared down
- PAM messages are not tagged, as that would create duplicate messages
about the same event. The variable part of them is simply discarded with
an @ANYSTRING@
- anonymous login/logout events are tagged, username is set to
"anonymous" from "ftp"

You can check the attached pure-ftpd.pdb with the following command:

cat pure-ftpd.samples | grep -v CzP | pdbtool match -p pure-ftpd.pdb -f -

CzP lines are comments...

Please check it on your own pure-ftpd logs to see, if I missed anything!
Thanks!

Bye,

-- 
Peter Czanik (CzP) <czanik at balabit.hu>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pure-ftpd.pdb
Type: application/vnd.palm
Size: 8119 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100930/640cc24a/attachment.bin 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pure-ftpd.samples
Url: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100930/640cc24a/attachment.txt 


More information about the syslog-ng mailing list