Logcheck rules for dropbear (Debian7.1 – wheezy)

^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dropbear\[[[:digit:]]+\]: Child connection from [.:[:xdigit:]]+:[[:digit:]]+$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dropbear\[[[:digit:]]+\]: Pubkey auth succeeded for '[[:alnum:]-]+' with key md5 ([[:xdigit:]]{2}:){15}[[:xdigit:]]{2} from [.:[:xdigit:]]+:[[:digit:]]+$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dropbear\[[[:digit:]]+\]: password auth succeeded for '[[:alnum:]-]+' from [.:[:xdigit:]]+:[[:digit:]]+$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dropbear\[[[:digit:]]+\]: Exit \([[:alnum:]-]+\): Disconnect received$

Leave a Reply

Your email address will not be published. Required fields are marked *