From b6ed5cf203eb15f40151436bc818d6547663f824 Mon Sep 17 00:00:00 2001
From: Alex Malek <amalek@wharton.upenn.edu>
Date: Thu, 22 Jul 2021 15:30:42 -0400
Subject: [PATCH 1/3] fix pam auth always being logged as success

---
 bin/pgaudit_analyze | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/bin/pgaudit_analyze b/bin/pgaudit_analyze
index eee83fe..d3d41e9 100755
--- a/bin/pgaudit_analyze
+++ b/bin/pgaudit_analyze
@@ -106,6 +106,11 @@ use constant
     STATE_ERROR => 'error'
 };
 
+use constant
+{
+    PAM_ERROR => 'pam_authenticate failed:'
+};
+
 use constant
 {
     true    => 1,
@@ -318,6 +323,7 @@ sub sessionGet
     my $strConnectionFrom = shift;
     my $strCommandTag = shift;
     my $strErrorSeverity = shift;
+    my $strMessage = shift;
 
     # Set connection from to a default if not defined yet
     if (!defined($strApplicationName))
@@ -336,7 +342,8 @@ sub sessionGet
 
     # Set state to ERROR on authentication failure
     if (defined($strCommandTag) && lc($strCommandTag) eq COMMAND_TAG_AUTHENTICATION &&
-        defined($strErrorSeverity) && lc($strErrorSeverity) eq ERROR_SEVERITY_FATAL)
+        ( (defined($strErrorSeverity) && lc($strErrorSeverity) eq ERROR_SEVERITY_FATAL) ||
+          (defined($strMessage) && index($strMessage, PAM_ERROR) == 0 ) ))
     {
         $strState = STATE_ERROR;
     }
@@ -710,7 +717,7 @@ while(!$bDone)
             {
                 sessionGet($strSessionId, $lSessionLineNum, $$stryRow[LOG_FIELD_PROCESS_ID], $$stryRow[LOG_FIELD_SESSION_START_TIME],
                            $strUserName, $strDatabaseName, $$stryRow[LOG_FIELD_APPLICATION_NAME], $$stryRow[LOG_FIELD_CONNECTION_FROM],
-                           $$stryRow[LOG_FIELD_COMMAND_TAG], $$stryRow[LOG_FIELD_ERROR_SEVERITY]);
+                           $$stryRow[LOG_FIELD_COMMAND_TAG], $$stryRow[LOG_FIELD_ERROR_SEVERITY], $$stryRow[LOG_FIELD_MESSAGE]);
 
                 logWrite($strSessionId, $strDatabaseName, $$stryRow[LOG_FIELD_LOG_TIME], $lSessionLineNum,
                          defined($$stryRow[LOG_FIELD_COMMAND_TAG]) ? lc($$stryRow[LOG_FIELD_COMMAND_TAG]) : undef,

From 394d5726d8e90c2aed81c760ce77b7d10a13658d Mon Sep 17 00:00:00 2001
From: Alex Malek <amalek@gmail.com>
Date: Thu, 22 Jul 2021 16:03:23 -0400
Subject: [PATCH 2/3] opps remove artifact from another branch / commit

---
 test/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/README.md b/test/README.md
index f8f0256..3cecf31 100644
--- a/test/README.md
+++ b/test/README.md
@@ -6,5 +6,5 @@ docker build --build-arg UID=$(id -u) --build-arg GID=$(id -g) -f test/Dockerfil
 ```
 Then run the test. The path for the PostgreSQL version to be tested must be supplied:
 ```
-docker run --rm -v $(pwd):/pgaudit-analyze pgaudit-analyze-test /pgaudit-analyze/test/test.pl --pgsql-bin=/usr/lib/postgresql/13/bin
+docker run -v $(pwd):/pgaudit-analyze pgaudit-analyze-test /pgaudit-analyze/test/test.pl --pgsql-bin=/usr/lib/postgresql/13/bin
 ```

From 5be98cbe687a052e2ef880e42c4ab7c79c56e044 Mon Sep 17 00:00:00 2001
From: Alex Malek <amalek@wharton.upenn.edu>
Date: Fri, 23 Jun 2023 16:43:27 -0400
Subject: [PATCH 3/3] generalize to catch multiple auth related error messages,
 add additional error msgs

---
 bin/pgaudit_analyze | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/bin/pgaudit_analyze b/bin/pgaudit_analyze
index 2a2d2d0..0453e6e 100755
--- a/bin/pgaudit_analyze
+++ b/bin/pgaudit_analyze
@@ -106,10 +106,15 @@ use constant
     STATE_ERROR => 'error'
 };
 
-use constant
-{
-    PAM_ERROR => 'pam_authenticate failed:'
-};
+####################################################################################################################################
+# Authentication errors that appear as type "LOG" before the type "FATAL" msg is recorded
+####################################################################################################################################
+my @AUTH_ERRORS = (
+    'pam_authenticate failed:',
+    'error from underlying PAM layer:',
+    'could not connect to Ident server at address'
+);
+
 
 use constant
 {
@@ -343,7 +348,7 @@ sub sessionGet
     # Set state to ERROR on authentication failure
     if (defined($strCommandTag) && lc($strCommandTag) eq COMMAND_TAG_AUTHENTICATION &&
         ( (defined($strErrorSeverity) && lc($strErrorSeverity) eq ERROR_SEVERITY_FATAL) ||
-          (defined($strMessage) && index($strMessage, PAM_ERROR) == 0 ) ))
+          (defined($strMessage) && grep {$strMessage =~ /^$_/} @AUTH_ERRORS )))
     {
         $strState = STATE_ERROR;
     }