Skip to content

Pluggable Authentication Modules (PAM)

Linux Pluggable Authentication Modules (PAM) is a suite of libraries that allows a Linux system administrator to configure methods to authenticate users. It provides a flexible and centralized way to switch authentication methods for secured applications by using configuration files instead of changing application code. There are Linux PAM libraries allowing authentication using methods such as local passwords, LDAP, or fingerprint readers. Linux PAM is evolved from the Unix Pluggable Authentication Modules architecture.

These PAM log messages are logged by the linux kernel to /var/log/auth.log and must be read from there. Syslog-ng or similar should be configured to read log messages from this file and forward those messages to the LogZilla server.

Rule Function

The purpose of this rule is to set various user tags for the fields in the PAM log messages.

Vendor Documentation

Log Source Details

Item Value
Vendor any linux distribution
Device Type linux OS
Supported Software Version(s) any distribution with PAM and syslog-ng
Collection Method Syslog
Configurable Log Output? no
Log Source Type linux syslog
Exceptions N/A

Currently Supported Log Types

The log format is a standard linux kernel syslog log message. There are no key-value pairs and minimal space-separated values. The log message should be in the following format:

pam_unix(<process name>:<context>): <authentication message>

The <authentication message> should be in one of the following two formats:

session <action> for user <user>
authentication failure; logname= uid=0
euid=0 tty=<tty> ruser= rhost=<src host>  user=<user>

Parsed Metadata Fields

The PAM log messages do not have key-value pairs and fixed fields are minimal. The data values parsed from the PAM message are:

Tagged Field Tag Name Example Description
<process name> sudo process name initiating the PAM request
<action> PAM Action opened session opened or closed
<user> PAM User Tracking root user account being authenticated
<tty> PAM tty ssh terminal originating PAM request
<rhost> PAM Remote Host host originating PAM request
<ruser> PAM Remote User vmuser user originating PAM request

High-Cardinality (HC) Tags

  • PAM Remote Host

Log Examples

Feb  3 19:08:47 ubuntu-server-vm login[708]: pam_unix(login:session): session opened for user vmuser by LOGIN(uid=0)
Feb  3 19:08:47 ubuntu-server-vm systemd[1019]: pam_unix(systemd-user:session): session opened for user vmuser by (uid=0)
Feb  3 19:14:06 ubuntu-server-vm sudo[2302]: pam_unix(sudo:session): session opened for user root by vmuser(uid=0)
Feb  3 19:14:10 ubuntu-server-vm sudo[2302]: pam_unix(sudo:session): session closed for user root
Feb  3 20:09:30 ubuntu-server-vm sshd[4310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=  user=vmuser
Feb  3 20:13:31 ubuntu-server-vm sshd[4338]: pam_unix(sshd:session): session opened for user vmuser by (uid=0)