# # From http://sixshooter.v6.thrupoint.net/SEC-examples/article.html # # Events concerning user activities. # #Logs involving logins, change of UID and privilege escalations (USERACT) #------------------------------------------------------------------------- #Nov 14 12:14:58 foohost sshd[3388]: fatal: Timeout before authentication for 192.168.1.1 #Nov 14 19:58:34 foohost sshd[6597]: Bad protocol version identification '^B^S^D^Q^L' from 192.168.1.100 #Oct 18 06:16:53 foohost sshd[131]: Accepted keyboard-interactive/pam for jpb from 192.168.1.1 port 1077 ssh2 #Nov 14 12:55:29 foohost sshd[3425]: Accepted keyboard-interactive/pam for jpb from fe80::2c0:4fff:fe18:13fd%ep0 port 27492 ssh2 #Nov 15 04:02:24 foohost login: 1 LOGIN FAILURE ON ttyp2 #Nov 15 04:02:24 foohost login: 1 LOGIN FAILURE ON ttyp2, mysql #Oct 18 03:20:46 foohost login: 2 LOGIN FAILURES ON ttyv0 #Oct 18 02:52:04 foohost login: ROOT LOGIN (root) ON ttyv1 #Oct 18 06:11:11 foohost login: login on ttyv0 as root #Nov 10 19:40:03 foohost su: jpb to root on /dev/ttyp0 #Nov 18 09:37:38 foohost su: BAD SU jpb to root on /dev/ttyp3 #Nov 22 12:26:44 foohost su: BAD SU badboy to root on /dev/ttyp0 # # # sshd Problems # -------------- # type=Single ptype=RegExp pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: (fatal|Bad)(.*) desc=$0 action=write - USERACT: $1 sshd $2 problem, text: $3 at %t # # sshd Accepted # -------------- # type=Single ptype=RegExp pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: Accepted (.*) desc=$0 action=write - USERACT: $1 sshd accepted login, text: $2 at %t # # login FAILURES # --------------- # type=Single ptype=RegExp pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+login: (.*?FAILURE.)(.*?ON) (.*) desc=$0 action=write - USERACT: $1 login $2 on $4 at %t # # su bad # ----------------- # type=Single ptype=RegExp pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: (BAD SU) (\S+) to (\S+) on (\S+) desc=$0 action=write - USERACT: $1 su: $2 $3 to $4 on $5 at %t #Nov 10 19:40:03 foohost su: jpb to root on /dev/ttyp0 #Nov 18 09:37:38 foohost su: BAD SU jpb to root on /dev/ttyp3 #Nov 22 12:26:44 foohost su: BAD SU badboy to root on /dev/ttyp0 # # # su good to root # ----------------- # type=Single ptype=RegExp pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: (\S+) to root on (\S+) desc=$0 action=write - USERACT: $1 su: $2 to ROOT on $4 at %t