Log Samples from Pam

Logs from PAM_Unix can be in different formats depending on the operating system. It can cause a lot of trouble when parsing it.

The available formats are:

process_name(pam_unix)[pid]:
process_name[pid]: (pam_unix)
process_name: pam_unix(process_name):

Login sucessful:

Jul  7 10:51:24 srbarriga su(pam_unix)[14592]: session opened for user test2 by (uid=10101)
Jul  7 10:52:14 srbarriga sshd(pam_unix)[17365]: session opened for user test by (uid=508)
Nov 17 21:41:22 localhost su[8060]: (pam_unix) session opened for user root by (uid=0)
Nov 11 22:46:29 localhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4

Session closed:

Jul  7 10:53:07 srbarriga su(pam_unix)[14592]: session closed for user test

Login failed:

Jul  7 10:55:56 srbarriga sshd(pam_unix)[16660]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=192.168.20.111  user=root
Jul  7 10:59:12 srbarriga vsftpd(pam_unix)[25073]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.20.111

Invalid user login attempt:

Jul  7 10:59:49 srbarriga vsftpd(pam_unix)[25073]: check pass; user unknown

Table Of Contents