[prev in list] [next in list] [prev in thread] [next in thread]
List: syslog-ng
Subject: Re: [syslog-ng] one more sshd rule
From: Peter Czanik <czanik () balabit ! hu>
Date: 2010-09-29 9:34:49
Message-ID: 4CA30839.5080809 () balabit ! hu
[Download RAW message or body]
On 09/29/2010 10:57 AM, Balazs Scheidler wrote:
> Hi,
>
> Are you sure that in this case sshd will not emit the already covered
> messages?
>
> Because if it does, then we'd be generating two login failures to a
> single message.
>
> I remember selecting only one of the failure messages, only the one
> which contained the most information.
>
> If this is the case, then this one should only be marked up for
> logcheck-style classification to mark that it's known and no name-value
> pairs or tags.
>
> If this is not the case, then that's a different matter that needs
> handling probably with the new correllation framework.
>
I found this message on openSUSE, and no other related messages were in
the log. So, in my case it was the only log about the login failure.
Bye,
CzP
> On Thu, 2010-09-23 at 14:11 +0200, Peter Czanik wrote:
>
>> Hello,
>>
>> While checking my logs with pdbtool, I ran into this log message:
>>
>> Sep 23 13:10:03 linux-6y8u sshd[21420]: error: PAM: Authentication
>> failure for root from 192.168.2.52
>>
>> The attached rule seems to find it correctly:
>>
>> HOST=linux-6y8u
>> MESSAGE=error: PAM: Authentication failure for root from 192.168.2.52
>> PROGRAM=sshd
>> PID=21420
>> LEGACY_MSGHDR=sshd[21420]:
>> .classifier.class=system
>> .classifier.rule_id=55ec76e0-c709-11df-b62d-000c298c9ba2
>> usracct.username=root
>> usracct.device=192.168.2.52
>> usracct.type=login
>> usracct.sessionid=21420
>> usracct.application=sshd
>> secevt.verdict=REJECT
>>
>> Bye,
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>
--
Peter Czanik (CzP) <czanik@balabit.hu>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic