/var/log/auth.log not logging failed ssh attempts
Solution 1
The LogLevel generally (apparently application dependent) refers to one of the defined severity levels supported by the system logging process (syslog). So change it back and restart the sshd server.
Now if you are not getting the output, you need to look at the system /etc/syslog.conf and see what MINIMUM loglevel the AUTH type of requests are being logged and to what file. The errors might be going to a different log file. OR you might not be logging these errors due to the syslog.conf configuration for the AUTH service. For more information consult the man pages on and syslog.conf.
Solution 2
When I had the same problem on Debian, I found I had to restart rsyslogd:
/etc/init.d/rsyslog restart
(Your syslogd program may vary.)
The it started writing to /var/log/auth.log again.
Perhaps it had stopped logging after a disk full event, I'm not sure.
See also: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1059854/comments/9
Solution 3
In my case the problem was with the ownership of the /var/log/auth.log
file. It was owned by root:root
but must be syslog:adm
. Change with
sudo chown syslog:adm /var/log/auth.log
It appears to be a common problem with the newly created systems - there were more log files, which had this issue.
Solution 4
In my case there was no diskspace on left on the root file-system /
, which you can check for with df -h
Related videos on Youtube
edev.io
Updated on September 18, 2022Comments
-
edev.io over 1 year
I'm trying to go failed (either incorrect username, password, or both) on my server.
I changed /etc/ssh/sshd_config from
# Logging SyslogFacility AUTH LogLevel INFO
to
# Logging SyslogFacility AUTH LogLevel VERBOSE
and have since tried multiple ssh attempts with both existing and non-exisiting users with random passwords thus failing. When checking /var/log/auth.log nothing appears and it is entirely blank.
What am I missing? Does some other process need to also be install and running on my system? I'm running Ubuntu.
Any help or guidance on this matter is more than welcome.
Thanks
-
bonsaiviking over 11 yearsDid you restart sshd?
-
Stefan Lasiewski over 11 yearsWhat does your syslog configuration look like? This would probably be a file at
/etc/syslog.conf
or/etc/rsyslog.conf
or/etc/rsyslog.d/*.conf
-
edev.io over 11 years@StefanLasiewski the first 2 are empty and
/etc/rsyslog.d/*.conf
says "$AddUnixListenSocket /var/spool/postfix/dev/log" -
Stefan Lasiewski over 11 years@Georgejnr : If that is the case, it appears that the syslog configuration on your system is broken. There is normally a syslog file under /etc/syslog.conf or /etc/rsyslog.conf , and normally there should be more then one file under /etc/rsyslog.d/*.conf . Does
ps aux
show a syslog process? -
edev.io over 11 years@StefanLasiewski no it is not listed in ps aux. The previous sysadmin went a little rogue and broke a few things I believe on purpose. Think this could be part of it? How do I go about fixing this issue?
-
Stefan Lasiewski over 11 yearsTry reinstalling rsyslog. Might need to 'remove', 'purge' then reinstall. See superuser.com/questions/102449/…
-
edev.io over 11 yearsI'm going to have to continue this tomorrow at work. The reinstall after purge is failing
invoke-rc.d: initscript rsyslog, action "start" failed. dpkg: error processing rsyslog (--configure)
Thanks for your time and I will update once i've had a play :-) -
edev.io over 11 yearsHi I installed syslog-ng and that has worked if you want to create an answer around that... thanks for your help and time
-
-
bonsaiviking over 11 yearsFrom sshd_config(5) LogLevel: Gives the verbosity level that is used when logging messages from sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
-
edev.io over 11 yearsmy /syslog.conf is empty. I must add that I am taking over someone else's system and it seems that they didn't do a very good job of setting it up. Does the lack of syslog.conf mean that I am missing a service? (thanks for your response)
-
mdpc over 11 yearsFile is in /etc......it is possible that you might not be logging anything.
-
mdpc over 11 yearsAbout VERBOSE in sshd_config....my mistake, but its not a syslog log level which is commonly asked for in many of the programs I have dealt with.
-
edev.io over 11 yearsleaving VERBOSE still in my sshd_config and running sudo /etc/init.d/ssh restart it still isn't logging. Am I being dumb about something?
-
edev.io over 11 yearsis there a lag?
-
mdpc over 11 yearsThen you should address it by close examination and modification of your /etc/syslog.conf file.
-
edev.io over 11 years
-
Sky Voyager over 5 yearsWhat is the full solution ? If we haven't syslog ?
-
Brian Minton over 5 yearsThis worked for me, but using systemctl instead to restart the syslog service (Debian sid using inetutils-syslogd).
systemctl restart inetutils-syslogd.service