Re: Different logging formats, standardization...

To: debian-devel@lists.debian.org, Brian May <bam@debian.org>
Subject: Re: Different logging formats, standardization...
From: Erich Schubert <erich@debian.org>
Date: Sun, 15 Sep 2002 13:15:20 +0200
Message-id: <[🔎] 20020915111519.GD7894@bombadil.xmldesign.de>
Mail-followup-to: Erich Schubert <erich@debian.org>, debian-devel@lists.debian.org, Brian May <bam@debian.org>
In-reply-to: <[🔎] 20020915010949.GB1482@hoiho.nz.lemon-computing.com>
References: <[🔎] 20020911200834.GA14501@bombadil.xmldesign.de> <[🔎] 20020914231422.GA10577@snoopy.apana.org.au> <[🔎] 20020914235908.GB28771@bombadil.xmldesign.de> <[🔎] 20020915010949.GB1482@hoiho.nz.lemon-computing.com>

man syslog states:
    LOG_EMERG        system is unusable
    LOG_ALERT        action must be taken immediately
    LOG_CRIT         critical conditions
    LOG_ERR          error conditions
    LOG_WARNING      warning conditions
    LOG_NOTICE       normal, but significant, condition
    LOG_INFO         informational message
    LOG_DEBUG        debug-level message

That is all we have.
Now thing of a attack warning your system is not vulnerable to.
It certainly qualifies for info. Maybe even notice or warning.
Depending on the users preferences.
If an attacker tries lots of different "old vulnerabilites", i'd like to
see a warning condition at least...

Or take this message from my logs:
  sshd[17934]: scanned from 217.96.131.90 with SSH-1.0-SSH_Version_Mapper.  Don't panic.
Kind of funny we need this "Don't panic." there?

Now have a look how different services log failed logins:
  proftpd[8438]: serverhostname (clienthost[ip]) - USER username: no
such user found from clienthost [ip] to serverip:port
has rendundant information: clienthost+ip is there two times.

Now sshd:
  sshd[16440]: pam_ldap: error trying to bind as user "<LDAPip>" (Invalid credentials)
  sshd[16440]: Failed password for <username> from <ip> port 2599 ssh2

My radius, courier-pop and courier-imap server log into auth.log:
PAM_unix[23085]: check pass; user unknown
PAM_unix[23085]: authentication failure; (uid=0) -> **unknown** for radius service
PAM_unix[21628]: authentication failure; (uid=0) -> **unknown** for pop3 service
PAM_unix[10755]: authentication failure; (uid=0) -> **unknown** for imap service

missing the useful information "hostname".

newer imp logs:
IMP[7443]: FAILED <ip> to <servername>:143 as <username>

IMHO these should be unified to use a common format for failed logins.
<service>: login failed for <userid> from <hostname>[ip]: <additional info>

Greetings,
Erich

-- 
        erich@(mucl.de|debian.org)        --        GPG Key ID: 4B3A135C
        A polar bear is a rectangular bear after a coordinate transform.
  Es ist besser, geliebt und verloren zu haben, als niemals geliebt zu haben.
            "Wissen ist Macht" - wenn man das richtige daraus macht.

Reply to:

Follow-Ups:
- Re: Different logging formats, standardization...
  - From: Erich Schubert <erich@debian.org>

References:
- Different logging formats, standardization...
  - From: Erich Schubert <erich@debian.org>
- Re: Different logging formats, standardization...
  - From: Brian May <bam@debian.org>
- Re: Different logging formats, standardization...
  - From: Erich Schubert <erich@debian.org>
- Re: Different logging formats, standardization...
  - From: Nick Phillips <nwp@nz.lemon-computing.com>

Prev by Date: Re: reporting bugs and MIME
Next by Date: Re: reporting bugs and MIME
Previous by thread: Re: Different logging formats, standardization...
Next by thread: Re: Different logging formats, standardization...
Index(es):
- Date
- Thread