capture blank field in /var/log/secure

[geelsu]

Hello all,

An unsuccessful login via a tty by a known user and an unknown user will generate an almost exact line in /var/log/secure with the exception of the last field. To see this specifically do Ctrl-Alt-F2, for example. Now login with a known user and log out. Next attempt a login with a bogus user name which fails. Go back to your GUI enviroment (Ctrl-Alt-F7) and then tail /var/log/secure. For the known user the last field will be "user=some_name_here. The unknown user will not have a "user=" field.

How do I capture the two via different variables in bash?

For example:
KNOWN_USER=`syntax that finds the user= field.`
echo There is a user= field and the user is mmouse.

UNKNOWN_USER=`syntax that does NOT find the user= field`
echo There is NO user= field and an unknown user tried to login.

If been exploring using sed to grab (or not grab) that last field, but haven't hit upon the right syntax yet.

If some of you better scripters have ideas it would be super to hear from you.

Thanks.

[Lazydog]

Not sure I understand what you are seeing. I can see both the successful user attempt and the unknown users unsuccessful login attempt with user names. Can you post an example?

[geelsu]

Hi LD.
Sure.

From /var/log/secure.

Here is what you get with a valid user.
Jan 7 09:01:07 wks90 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= user=george

Here is what you get with an INVALID user:
Jan 7 09:01:15 wks90 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=


There are other entries in /var/log/secure that show the name of the INVALID user, but this is the only one that shows what tty the attempt was made on. That is why I am trying to capture that line so I can grab the specific tty info. But I don't want to grab the line that shows george because I am a valid user.

[geelsu]

You might just say grab all the line with a grep statement and put it all into one file. What I am doing is creating a webpage with contents echo'ed in from /var/log/secure for our security people. They don't have time to glean through all the contents of /var/log/secure and pick out things. So this will grab the necessary lines and under nice and big headers like:

SUCCESSFUL LOGIN ATTEMPTS MADE VIA TTY

user= george

Total = 1


UNSUCCESSFUL LOGIN ATTEMPTS MADE VIA TTY

Total = 1

(the next section of the webpage will show what user name was used.)

[geelsu]

Sorry .... dupe entry deleted.

[Lazydog]

You cannot just look at one line as failed logins create 4 lines in my log as follows;

Code:

Jan  7 22:42:26 bms login: pam_unix(login:auth): check pass; user unknown
Jan  7 22:42:26 bms login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=
Jan  7 22:42:26 bms login: pam_succeed_if(login:auth): error retrieving information about user test
Jan  7 22:42:27 bms login: FAILED LOGIN 1 FROM (null) FOR test, User not known to the underlying authentication module

Here is another test done;

Code:

Jan  7 22:46:01 bms login: pam_unix(login:auth): check pass; user unknown
Jan  7 22:46:01 bms login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=
Jan  7 22:46:01 bms login: pam_succeed_if(login:auth): error retrieving information about user test2
Jan  7 22:46:03 bms login: FAILED LOGIN 1 FROM (null) FOR test2, User not known to the underlying authentication module

Maybe you should be looking at the FAIL LOGIN line in the logs instead of the line you are looking at.