Log Samples

Stuff

• Apache Logs
  • Log Samples from Apache
  • Apache Attack samples
• GNU Radius
  • Here is a sample of the accounting records taken from the above documentation:
• Windows Routing and Remote Access logs
• Log Samples from Pam
  • The available formats are:
  • Login sucessful:
  • Session closed:
  • Login failed:
  • Invalid user login attempt:
• Log Samples from sshd
  • Did not receive identification string (occurs during some forms of sshd DoS):
  • Rule to catch multiple instances (insert into local_rules.xml):
  • Software caused connection abort (occurs during some forms of sshd DoS):
  • Rule to help OSSEC recognise this error as nothing serious:
  • Login sucessful:
  • Login failed:
  • Invalid user login attempt:
  • Full scan sample:
• Su log samples
  • OpenBSD:
  • Solaris 10:
  • Slackware:
  • Ubuntu:
• Messages from useradd, userdel, etc
  • Suse Linux useradd:
  • Suse Linux userdel:
  • useradd&passwd fail:
• Linux Logs
  • Cron/Crontab Log Samples
  • dpkg logs:
  • Log Samples from the Linux kernel
  • Log Samples from pacman
  • Log Samples for rshd
  • SELinux
  • Log Samples from S.M.A.R.T
  • Log samples for syslogd
  • Log samples for errors on xfs partitions:
  • Yum log samples
• Windows Logs
  • IIS Logs
• Log Samples from BSD systems
  • OpenBSD file system full:
  • FreeBSD authentication failures:
  • FreeBSD NTP sync messages:
• Log entries in asl.log on OSX
  • Sudo:
  • sshd:
  • Cron:
  • Software Update:
  • Postfix:
  • Configd:
  • Crashdump:
  • Launchd:
• OS X IPFW Log Samples
• Log samples Mac
  • Authentication failure:
• FTP Logs
  • Microsoft FTPD examples
  • Log Samples from ProFTPD
  • Log Samples from Pure-FTPD
  • Log Samples from Solaris/HP-UX FTPD
  • Log Samples from vsftpd
  • Log Samples from xferlog (by default at /var/log/xferlog)
• Nessus scan in a web server log
  • How ossec would alert
• Misc. Logs
  • Amavis Logs
  • Log Samples from Aruba Wireless
  • Log Samples from Asterisk
  • Log samples from ClamAV
  • Log Samples for Dell OpenManage
  • Log samples for HP-UX cimserver
  • Stunnel Logs
  • TightVNC Logs
  • Log Samples for Wordpress
• Cisco Logs
  • Log samples for the Cisco IDS/IPS module for IOS
  • Cisco IOS Samples
  • Cisco PIX Logs
  • Cisco Secure ACS
• Log Samples for MySQL
  • Notes:
  • Startup:
  • Shutdown:
  • Error:
• Log Samples for PostgreSQL
  • Login/Logout:
  • Log messages:
  • Query log:
  • Query error:
  • Authentication error:
• Log Samples from PHP
  • php-cgi log:
• Urlscan Log samples
• Log Samples from Named
  • Some information about named logs can be found at:
  • Query cache denied (attempt to use server not authorized):
  • Fatal errors:
  • Zone transfer errors:
• Log samples for Checkpoint
  • Sample 1:
  • Sample 2:
• Log Samples from iptables
  • Martian log enabled:
  • UDP warning (netfilter module):
  • TCP shrunk window (netfilter module):
• Microsoft ISA Server
• Log Samples from the Netscreen Firewall
  • Traffic denied:
  • Alert messages:
  • Critical messages:
  • Admin login:
• Log samples from PF
• Log Samples from SonicWall
  • General logs:
  • Dropped events:
• Samples for the Windows firewall
  • Fields:
  • Firewall drop:
  • Firewall Accept:
  • Large sample:
  • Sample 2:
• WIPFW
• Zone Alarm (free version) Log samples
  • Filename = ZALog.txt:
  • More log samples showing different kinds of entries:
• Courier Log samples
  • Pop3 Login failed:
  • Pop3d-ssl Login failed:
  • Imapd Login failed:
  • Valid logins:
• Dovecot log samples
  • IMAP:
  • Login:
  • Error time change:
  • Logout/Connection close:
  • Error auth:
  • Attacks:
  • POP3:
  • Login:
  • Logout/Connection close:
  • Error time change:
  • Error auth:
  • AUTH:
  • Error time change:
  • Errors:
  • OTHERS:
• Exchange Log Samples
  • W3C Extended format:
  • NCSA format:
• Log Samples from Exim
  • I’ve included the ossec bad responses:
• Log Samples from imapd
  • Failed logins:
• Log Samples for postfix
  • Postfix internal error:
  • Email rejected (source blacklisted):
  • Spam attempts:
  • Insufficient storage:
  • Some postfix errors:
• Log Samples from Sendmail
  • Error code 553, rejected due to spam:
  • Connection rate limit exceeded (421 4.3.2):
  • Pre-greeting traffic (rejected):
  • SMF-SAV Sendmail Milter decoder:
  • Save mail panic:
• Log Samples for VM-POP3d
• Log Samples from vpopmail
  • Failed logins:
  • Invalid user:
  • Full samples:
  • Brute Force Attack:
  • Succesfull login:
  • Bad password:
  • or if no password given:
  • Invalid user:
• Log Samples for VMware ESX
  • From /var/log/vmware/hostd.log:
  • From /var/log/secure (user logins, etc):
• Web Scan sample 2
  • Example of web scan detected by ossec (looking for Wordpress, xmlrpc and awstats):
  • Web scan sample 4:
  • SSHD brute force:
  • FTP Scan:
  • Multiple firewall denies on the Windows firewall:
  • Multiple spam attempts:
  • SQL Injection attempt detected:
  • Internal system possibly compromised with IrnBot:
  • E-mail scan (vpopmail):
  • File system full:
  • Custom SQL injection against ossec.net:
  • Application being installed:
  • Virtual machine being shut down: