Linux Pam

Overview

Linux Pluggable Authentication Modules (PAM) is a suite of libraries that allows system administrators to configure authentication methods for users. PAM provides a flexible and centralized way to manage authentication across secured applications and services.

App Function

• Parse pam_unix authentication log messages
• Extract session events (opened/closed) and authentication failures
• Track users, remote hosts, and TTY devices
• Set Vendor: Linux and Product: PAM tags for filtering
• Categorize events with Event Class: auth
• Alert on authentication failures and root session access

Vendor Documentation

• Linux-PAM Website
• Linux PAM - ArchWiki
• Introduction to PAM

Device Configuration

PAM log messages are written to /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS). Configure syslog forwarding to send these logs to LogZilla:

1. Edit the syslog configuration (e.g., /etc/rsyslog.d/logzilla.conf)

2. Add a rule to forward auth logs:

   text
   Wrap: OnCopyFullscreen
   auth,authpriv.*    @logzilla-server:514
   

3. Restart the syslog service:

   bash
   Wrap: OnCopyFullscreen
   sudo systemctl restart rsyslog
   

Verification

Trigger an authentication event (e.g., SSH login) and verify events appear in LogZilla with the message containing pam_unix.

Incoming Log Format

PAM log messages follow this format:

text
Wrap: OnCopyFullscreen
pam_unix(<process>:<context>): <message>

• process - Service name (sshd, sudo, login, systemd-user)
• context - PAM context (session, auth)
• message - Event description

Parsed Metadata Fields

Log Examples

Session Opened

text
Wrap: OnCopyFullscreen
pam_unix(sshd:session): session opened for user vmuser by (uid=0)

Session Closed

text
Wrap: OnCopyFullscreen
pam_unix(sudo:session): session closed for user root

Authentication Failure

text
Wrap: OnCopyFullscreen
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=192.168.250.2  user=vmuser

Triggers