/var/log/auth.log not logging failed ssh attempts

ssh logging authentication

30,146

Solution 1

The LogLevel generally (apparently application dependent) refers to one of the defined severity levels supported by the system logging process (syslog). So change it back and restart the sshd server.

Now if you are not getting the output, you need to look at the system /etc/syslog.conf and see what MINIMUM loglevel the AUTH type of requests are being logged and to what file. The errors might be going to a different log file. OR you might not be logging these errors due to the syslog.conf configuration for the AUTH service. For more information consult the man pages on and syslog.conf.

Solution 2

When I had the same problem on Debian, I found I had to restart rsyslogd:

/etc/init.d/rsyslog restart

(Your syslogd program may vary.)

The it started writing to /var/log/auth.log again.

Perhaps it had stopped logging after a disk full event, I'm not sure.

Solution 3

In my case the problem was with the ownership of the /var/log/auth.log file. It was owned by root:root but must be syslog:adm. Change with

sudo chown syslog:adm /var/log/auth.log

It appears to be a common problem with the newly created systems - there were more log files, which had this issue.

Solution 4

In my case there was no diskspace on left on the root file-system /, which you can check for with df -h

View more solutions

30,146

edev.io

Updated on September 18, 2022

Comments

edev.io over 1 year
I'm trying to go failed (either incorrect username, password, or both) on my server.

I changed /etc/ssh/sshd_config from
```
# Logging
SyslogFacility AUTH 
LogLevel INFO
```
to
```
# Logging
SyslogFacility AUTH 
LogLevel VERBOSE
```
and have since tried multiple ssh attempts with both existing and non-exisiting users with random passwords thus failing. When checking /var/log/auth.log nothing appears and it is entirely blank.

What am I missing? Does some other process need to also be install and running on my system? I'm running Ubuntu.

Any help or guidance on this matter is more than welcome.

Thanks
- bonsaiviking over 11 years
  
  Did you restart sshd?
- Stefan Lasiewski over 11 years
  
  What does your syslog configuration look like? This would probably be a file at /etc/syslog.conf or /etc/rsyslog.conf or /etc/rsyslog.d/*.conf
- edev.io over 11 years
  
  @StefanLasiewski the first 2 are empty and /etc/rsyslog.d/*.conf says "$AddUnixListenSocket /var/spool/postfix/dev/log"
- Stefan Lasiewski over 11 years
  
  @Georgejnr : If that is the case, it appears that the syslog configuration on your system is broken. There is normally a syslog file under /etc/syslog.conf or /etc/rsyslog.conf , and normally there should be more then one file under /etc/rsyslog.d/*.conf . Does ps aux show a syslog process?
- edev.io over 11 years
  
  @StefanLasiewski no it is not listed in ps aux. The previous sysadmin went a little rogue and broke a few things I believe on purpose. Think this could be part of it? How do I go about fixing this issue?
- Stefan Lasiewski over 11 years
  
  Try reinstalling rsyslog. Might need to 'remove', 'purge' then reinstall. See superuser.com/questions/102449/…
- edev.io over 11 years
  
  I'm going to have to continue this tomorrow at work. The reinstall after purge is failing invoke-rc.d: initscript rsyslog, action "start" failed. dpkg: error processing rsyslog (--configure) Thanks for your time and I will update once i've had a play :-)
- edev.io over 11 years
  
  Hi I installed syslog-ng and that has worked if you want to create an answer around that... thanks for your help and time
bonsaiviking over 11 years

From sshd_config(5) LogLevel: Gives the verbosity level that is used when logging messages from sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
edev.io over 11 years

my /syslog.conf is empty. I must add that I am taking over someone else's system and it seems that they didn't do a very good job of setting it up. Does the lack of syslog.conf mean that I am missing a service? (thanks for your response)
mdpc over 11 years

File is in /etc......it is possible that you might not be logging anything.
mdpc over 11 years

About VERBOSE in sshd_config....my mistake, but its not a syslog log level which is commonly asked for in many of the programs I have dealt with.
edev.io over 11 years

leaving VERBOSE still in my sshd_config and running sudo /etc/init.d/ssh restart it still isn't logging. Am I being dumb about something?
edev.io over 11 years

is there a lag?
mdpc over 11 years

Then you should address it by close examination and modification of your /etc/syslog.conf file.
edev.io over 11 years

let us continue this discussion in chat
Sky Voyager over 5 years

What is the full solution ? If we haven't syslog ?
Brian Minton over 5 years

This worked for me, but using systemctl instead to restart the syslog service (Debian sid using inetutils-syslogd). systemctl restart inetutils-syslogd.service