From OSSEC Wiki

Log Samples from Pam

Logs from PAM_Unix can be in different formats depending on the operating system. It can cause a lot of trouble when parsing it. The available formats are:

process_name(pam_unix)[pid]:

process_name[pid]: (pam_unix)

process_name: pam_unix(process_name): 

• Login sucessful:

Jul  7 10:51:24 srbarriga su(pam_unix)[14592]: session opened for user test2 by (uid=10101)

Jul  7 10:52:14 srbarriga sshd(pam_unix)[17365]: session opened for user test by (uid=508)

Nov 17 21:41:22 localhost su[8060]: (pam_unix) session opened for user root by (uid=0)

Nov 11 22:46:29 localhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4

• Session closed:

Jul  7 10:53:07 srbarriga su(pam_unix)[14592]: session closed for user test

• Login failed:

Jul  7 10:55:56 srbarriga sshd(pam_unix)[16660]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=192.168.20.111  user=root

Jul  7 10:59:12 srbarriga vsftpd(pam_unix)[25073]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.20.111

• Invalid user login attempt:

Jul  7 10:59:49 srbarriga vsftpd(pam_unix)[25073]: check pass; user unknown
<pre>

[[Category:log::samples]]
[[Category:log::samples::linux]]