In message <[EMAIL PROTECTED]
om>,
[EMAIL PROTECTED] writes:
>I am trying to keep track of users that log onto and off our FTP server
>(proftpd). When they do log off I want to notify certain people by email as
>to who just used the FTP server.
>
>This would include users that uploaded files then just walked away, so that
>the server eventually disconnected them after they finished uploading and
>timed out. That makes extended logs unreliable (no QUIT action), so I'm
>using SEC to analyze the proftpd system log, using "FTP session closed" as
>the trigger. Unfortunately, this type of entry only gives the PID of the
>user session not their ID. I therefore need to look back in the logs to
>where they logged on (which may have been two minutes or two hours earlier)
>then figure out the User ID to include in an email message.
This sounds like you want to use a context. So in the rule that
obtains the user's name, create the context:
context_<pid>_username
where the pid is the process id. Add to that context the ID.
When the final event comes in you have the pid, so you can copy the
contents of the context context_<pid>_username into a variable and
report it.
Try checking the ssh example at:
http://www.cs.umb.edu/~rouilj/sec/sec_paper_full.pdf
for example. It seems to me there is a simpler example of this in
there as well, but I don't remember.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
