hi,
if you would like to use sec for simply scanning the past log files and
outputting failed login attempts, you could have the following simple rule:
# test.sec
type=single
ptype=regexp
pattern=pam_unix.* authentication failure; logname=.* uid=\d+ euid=\d+
tty=.* ruser=.* rhost=.* user=([\w.-]+)
desc=authentication failure for $1
action=write - %s
if you run sec as follows:
sec --conf=test.sec --input=/var/log/secure --notail
you will see messages like this for past failures:
authentication failure for risto
authentication failure for risto
authentication failure for root
hope this helps,
risto
2015-05-26 16:20 GMT+03:00 <[email protected]>:
>
>
>
>
> *From:* Risto Vaarandi [mailto:[email protected]]
> *Sent:* Tuesday, May 26, 2015 3:29 PM
> *To:* Sadettin ARSLAN
> *Subject:* Re: SEC
>
>
>
> Can you post this question to the SEC mailing list, not my personal
> e-mail? In that way, others will benefit from the discussion. Thanks!
>
> risto
>
>
>
> 2015-05-26 12:09 GMT+03:00 <[email protected]>:
>
> Hi;
>
> We have events about logins in /var/log/secure file. They are like below.
>
>
>
> May 26 May 26 09:25:57 localhost unix_chkpwd[1947]: password check failed
> for user (sec)
>
> May 26 09:25:57 localhost gdm-password]: pam_unix(gdm-password:auth):
> authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser=
> rhost= user=sec
>
> May 26 09:26:05 localhost unix_chkpwd[1952]: password check failed for
> user (sec)
>
> May 26 09:26:05 localhost gdm-password]: pam_unix(gdm-password:auth):
> authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser=
> rhost= user=sec
>
> May 26 09:26:13 localhost unix_chkpwd[1966]: password check failed for
> user (sec)
>
> May 26 09:26:13 localhost gdm-password]: pam_unix(gdm-password:auth):
> authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser=
> rhost= user=sec
>
> May 26 09:26:19 localhost gdm-password]: pam_unix(gdm-password:session):
> session opened for user sec by (unknown)(uid=0)
>
>
>
> I failed at login on purpose to get those event logs. I want to display
> them in terminal using *action=write - %s* in A.rules.
>
> I want it to correlate the login logs from 1 week ago to now. This means
> it won’t be real time. I want to write the command *sec--conf=/etc/sec/A.rules
> --input=/var/log/secure –bufsize=1 *in Terminal and see the failed login
> attempts if it is possible.
>
>
>
> What should I write in A.rules?
>
>
>
> Thank you, Best Regards.
>
>
>
>
>
> Sadettin ARSLAN
>
>
>
> *From:* Risto Vaarandi [mailto:[email protected]]
> *Sent:* Monday, May 25, 2015 4:12 PM
> *To:* Sadettin ARSLAN
> *Cc:* [email protected]
> *Subject:* Re: SEC
>
>
>
> hi,
>
> what kind of events are we talking about? Whatever rules you want to write
> for sec, the events need to be recognized somehow, and in order to write a
> regular expression (or other pattern) for this purpose, the event format
> needs to be known.
>
> Also, do you want to react to failed login events that happen in
> real-time, or is your intention to search the past logs (say, 1 hour, 1 day
> or 1 week old)? If you intend to search past log data for off-line incident
> analysis, sec is probably not the right tool, since it is designed for
> analyzing and correlating real-time events.
>
> So if you could clarify your question a bit further, we might be able to
> provide more assistance.
>
> kind regards,
>
> risto
>
>
>
> 2015-05-25 12:06 GMT+03:00 <[email protected]>:
>
> Hi;
>
> I am new in SEC. I want to set a ruleset to display the last failed login
> attempt in Terminal. How can I display the outcome in Terminal? If you help
> me I will be glad.
>
>
>
> Best Regards.
>
>
>
>
>
> Sadettin ARSLAN
>
>
>
> Bu e-posta mesajı ve ekleri sadece gönderildiği kişi veya kuruma özeldir.
> Eğer doğru kişiye ulaşmadığını düşünüyorsanız, bu mesajın yönlendirilmesi,
> kopyalanması veya herhangi bir şekilde kullanılması yasaktır.Mesaj
> içeriğinde bulunan fikir ve yorumlar, sadece göndericiye aittir. Bu mesaj
> bilinen tüm virüslere karsı taranmıştır.
>
> This e-mail and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they are
> addressed. If you are not the intended recipient you are hereby notified
> that any dissemination, copying or use of the information is prohibited.
> The opinions expressed in this message belong to sender alone. This e-mail
> has been scanned for all known computer viruses.
>
>
>
> Bu e-posta mesajı ve ekleri sadece gönderildiği kişi veya kuruma özeldir.
> Eğer doğru kişiye ulaşmadığını düşünüyorsanız, bu mesajın yönlendirilmesi,
> kopyalanması veya herhangi bir şekilde kullanılması yasaktır.Mesaj
> içeriğinde bulunan fikir ve yorumlar, sadece göndericiye aittir. Bu mesaj
> bilinen tüm virüslere karsı taranmıştır.
>
> This e-mail and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they are
> addressed. If you are not the intended recipient you are hereby notified
> that any dissemination, copying or use of the information is prohibited.
> The opinions expressed in this message belong to sender alone. This e-mail
> has been scanned for all known computer viruses.
>
>
>
> Bu e-posta mesajı ve ekleri sadece gönderildiği kişi veya kuruma özeldir.
> Eğer doğru kişiye ulaşmadığını düşünüyorsanız, bu mesajın yönlendirilmesi,
> kopyalanması veya herhangi bir şekilde kullanılması yasaktır.Mesaj
> içeriğinde bulunan fikir ve yorumlar, sadece göndericiye aittir. Bu mesaj
> bilinen tüm virüslere karsı taranmıştır.
>
> This e-mail and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they are
> addressed. If you are not the intended recipient you are hereby notified
> that any dissemination, copying or use of the information is prohibited.
> The opinions expressed in this message belong to sender alone. This e-mail
> has been scanned for all known computer viruses.
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
