Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# /etc/filter-syslog/oracle -- Syslog filter rules for an Oracle database.
# Ignore host-based ssh authentication used for database monitoring.
sshd: /^Accepted hostbased for oracle from ::ffff:171.64.11.14 port \d+ ssh2$/
# Ignore cron & at jobs running as the Oracle or ntirety user.
/(crond|CROND)/: /^\((oracle|ntirety)\) CMD /
/(crond|CROND)/: /^\((oracle|ntirety)\) RELOAD \(cron/(oracle|ntirety)\)$/
crontab: /^\((oracle|ntirety)\) (BEGIN EDIT|REPLACE|END EDIT|LIST) \((oracle|ntirety)\)$/
atd(pam_unix): /^session (opened|closed) for user (oracle|ntirety)(| by (oracle|ntirety)\(uid=0\))$/
/usr/bin/crontab: /^\(oracle\) (BEGIN EDIT|REPLACE|END EDIT|LIST) \((oracle|ntirety)\)$/
# Ignore sudo commands as oracle and assume our sudoers rules are right.
sudo: /^\s*oracle : /
# Ignore su from/to oracle to/from ntirety account
su(pam_unix): /^session (closed|opened) for user ntirety(| by oracle\(uid=\d+\))$/
su(pam_unix): /^authentication failure; .* ruser=ntirety rhost=.* user=oracle$/
su(pam_unix): /^session opened for user oracle by ntirety\(uid=\d+\)$/
su(pam_unix): /^session closed for user oracle$/
su: /^pam_unix\(su-l:session\): session (opened|closed) for user (oracle|ntirety)/
# Ignore from (stumpjumper|its-ntyadmin) (spewing ntirety login errors regularly)
sshd: /^Received disconnect from ::ffff:(171\.67\.208\.25|171\.64\.10\.185|171\.67\.24\.232): 11: (The user disconnected the application|All open channels closed)$/
sshd: /^\(pam_krb5\): ntirety: credential verification failed: Request is a replay$/
sshd(pam_unix): /authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=(stumpjumper|its-ntyadmin).stanford.edu user=(ntirety|oracle)$/
sshd: /authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=(stumpjumper|its-ntyadmin).stanford.edu user=(ntirety|oracle)$/
sshd: /authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=(stumpjumper|its-ntyadmin).stanford.edu user=(ntirety|oracle)$/
sshd: /^Failed password for ntirety from (::ffff:)?(171\.64\.10\.185|171\.67\.24\.232|171\.67\.208\.25) port \d+ ssh2$/
sshd: /^pam_krb5\(sshd\): user (ntirety|oracle) authenticated as (jhussey|chapmci1|fabianek).*/
sshd: /^pam_krb5\(sshd(:auth)?\): authentication failure; logname=ntirety .* ruser= rhost=(stumpjumper|its-ntyadmin)/
sshd: /^pam_krb5\(sshd(:auth)?\): \(user ntirety\) credential verification failed: Request is a replay/
sshd: /^Disconnecting: Too many authentication failures for ntirety/
sshd(pam_unix): /^\d+ more authentication failures; logname= uid=0 euid=0 ruser= rhost=(stumpjumper|its-ntyadmin).stanford.edu user=ntirety/
sshd: /^Failed password for invalid user Ntirety from (171\.67\.208\.25|171\.67\.24\.232)/
sshd: /^Invalid user Ntirety from (171\.67\.208\.25|171\.67\.24\.232)/
sshd: /^Postponed keyboard-interactive for (oracle|ntirety) from (::ffff:)?(171\.67\.208\.25|171\.67\.24\.232)/