diff -ur log.d/conf/services/secure.conf log.d.new/conf/services/secure.conf --- log.d/conf/services/secure.conf Sun Mar 31 18:03:51 2002 +++ log.d.new/conf/services/secure.conf Wed Jan 28 09:17:31 2004 @@ -23,7 +23,7 @@ # It is commented out by default, but you can uncomment it # and ignore as many services as you would like. # (we ignore sshd because its entries are processed by the sshd script) -$ignore_services = sshd +$ignore_services = sshd sshd2 ######################################################## # This was written and is maintained by: diff -ur log.d/conf/services/sshd2.conf log.d.new/conf/services/sshd2.conf --- log.d/conf/services/sshd2.conf Sun Mar 31 18:03:51 2002 +++ log.d.new/conf/services/sshd2.conf Wed Jan 28 09:11:54 2004 @@ -13,7 +13,7 @@ # No = False = Off = 0 # Which logfile group... -LogFile = messages +LogFile = secure # Only give lines pertaining to the mountd service... *OnlyService = sshd2 diff -ur log.d/scripts/services/sshd2 log.d.new/scripts/services/sshd2 --- log.d/scripts/services/sshd2 Sun Mar 31 18:03:51 2002 +++ log.d.new/scripts/services/sshd2 Wed Jan 28 09:31:02 2004 @@ -24,20 +24,32 @@ while (defined($ThisLine = )) { if ( ($ThisLine =~ /^Daemon is running.$/) or ($ThisLine =~ /^Listener created on port .*$/) or + ($ThisLine =~ /^Starting daemon in inetd mode.$/) or + ($ThisLine =~ /^Local disconnected: Connection closed.$/) or + ($ThisLine =~ /^Now running on .*?'s privileges.$/) or + ($ThisLine =~ /^connection lost: 'Connection closed.'$/) or + ($ThisLine =~ /^connection from ".*?"$/) or + ($ThisLine =~ /^User oracle's local password accepted.$/) or + ($ThisLine =~ /^Password authentication for user .*? accepted.$/ ) or + ($ThisLine =~ /^Public key .*? used.$/ ) or ($ThisLine =~ /^sshd2$/) ) { # don't care about these } elsif ( $ThisLine =~ /^Starting sshd2: $/ ) { $Started++; } - else { + elsif ( $ThisLine =~ /^User (.*?), coming from (.*?), authenticated/ ) { + $Users{$1}++; + $Logins_From{$1} ||= {}; + $Logins_From{$1}->{$2}++; + } else { # Report any unmatched entries... chomp($ThisLine); $OtherList{$ThisLine}++; } } -if ( ($#OtherList >= 0) or (($Detail >= 10) and ($Started)) ) { +if ( defined %Users or defined %OtherList or (($Detail >= 10) and ($Started)) ) { print "\n\n --------------------- Sshd2 Begin ------------------------ \n"; @@ -46,6 +58,15 @@ print " Sshd2 started: $Started Time(s)\n"; } + if ( defined %Users ) { + print "Logins:\n"; + foreach my $user ( sort keys %Users ) { + print " $user: $Users{$user} login(s) from "; + print join ', ', sort keys %{ $Logins_From{$user} }; + print "\n"; + } + } + if (keys %OtherList) { print "\n**Unmatched Entries**\n"; foreach $ThisOne (keys %OtherList) { print "$ThisOne: $OtherList{$ThisOne} Time(s)\n";