- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Logging login actions in syslog
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2014 07:25 AM
08-25-2014 07:25 AM
Logging login actions in syslog
Hi,
I know this should be simple but I am not getting the expected results. I am just getting into sys admin duties and I need to log every login to the server, successfull and failed ones. All I thought I needed was the "auth.*" line and I should be good to go. I have restarted the syslogd daemon and I have logged in multiple times.
I was expecting to see data in the auth.log file. I do however see my login attempts in the syslog.log file. Does anybody have any idea what I am doing wrong or am I missing some pieces.
mail.debug /var/adm/syslog/mail.log
auth.* /var/adm/syslog/auth.log
*.info;mail.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *
#
# For Arcsight
*.notice @server2
Aug 25 08:43:41 apached1 sshd[6472]: SSH: Server;Ltype: Version;Remote: xxx.xxx.xxx.170-36328;Protocol: 2.0;Client: PuTTY_Release_0.63
Aug 25 08:43:41 apached1 sshd[6472]: SSH: Server;Ltype: Kex;Remote: xxx.xxx.xxx.170-36328;Enc: aes256-ctr;MAC: hmac-sha2-256;Comp: none [preauth]
Aug 25 08:43:43 apached1 sshd[6472]: SSH: Server;Ltype: Authname;Remote: xxx.xxx.xxx.170-36328;Name: devosd [preauth]
Aug 25 08:43:43 apached1 sshd[6472]: reverse mapping checking getaddrinfo for workstation1.domain.com [xxx.xxx.xxx.170] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 25 08:43:46 apached1 sshd[6472]: Accepted keyboard-interactive/pam for devosd from xxx.xxx.xxx.170 port 36328 ssh2
Aug 25 08:43:47 apached1 inetd[6486]: registrar/tcp: Connection from localhost (127.0.0.1) at Mon Aug 25 08:43:47 2014
Aug 25 08:44:02 apached1 sudo: devosd : TTY=pts/0 ; PWD=/home/devosd ; USER=root ; COMMAND=/usr/bin/su -
Aug 25 08:44:03 apached1 su: + 0 devosd-root
- Tags:
- syslog
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2014 07:44 AM
08-25-2014 07:44 AM
Re: Logging login actions in syslog
I think it can depend on the service. Secure shell should be getting logged. The ftpd requires the '-l' option on the service startup. Console login doesn't get logged.
Assuming you sig-HUP'd your syslogd daemon, of course...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2014 08:05 AM
08-25-2014 08:05 AM
Re: Logging login actions in syslog
What activity should I see and in which file would I find it. I assumed that the SSH login actions would be in the auth.log file but they are only in the syslog.log file. Is this correct?
We are getting ready for PCI 3.0 compliancy which means every login needs to be recorded as well as any new accounts being created or current accounts being changed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2014 08:53 AM
08-25-2014 08:53 AM
Re: Logging login actions in syslog
Use the last and lastb commands. These show interactive logins and login failures (lastb).
Specify the length of the list with -# and be sure to use the -R option to show the hostname or IPaddr that logged in (or tried to login), like this:
# last -R -10 root pts/0 10.10.21.179 Mon Aug 25 09:49 still logged in root pts/0 10.11.10.82 Fri Aug 22 16:44 - 16:44 (00:00) root pts/1 10.11.10.82 Fri Aug 22 16:44 - 21:42 (04:57) root pts/0 10.10.21.176 Thu Aug 21 08:48 - 09:12 (00:23) root pts/0 10.10.21.139 Mon Aug 18 09:15 - 14:23 (05:08) root pts/1 10.10.21.122 Sat Aug 16 21:44 - 22:54 (01:09) root pts/0 10.10.21.122 Sat Aug 16 21:33 - 22:54 (01:21) root console Fri Aug 15 21:17 - 21:25 (00:07) reboot system boot Fri Aug 15 21:01 still logged in root pts/0 10.10.21.143 Fri Aug 15 20:56 - 20:58 (00:02)
To see failed attempts, use lastb (same options):
# lastb -R -10 root console Wed Nov 17 07:14
ssh console Fri Oct 8 09:20
root console Fri Oct 1 07:21
guest console Mon Sep 27 14:20
root ftp sg1 Wed Sep 22 12:07
rooty ftp sg1 Wed Sep 22 12:06
root ftp sg1 Wed Sep 22 12:06
root ftp sg1 Wed Sep 22 12:06
root remshd ftp Mon Jul 26 16:29
root console Sat Jul 24 21:39
oa oa o console Sat Jul 24 12:17
blh pts/ta 172.16.0.17 Fri Jul 23 21:53
Be careful with the lastb listing. People sometimes type their password instead of their login and it is recorded as a bad login. last can be run by any user but lastb is root only.
Bill Hassell, sysadmin
- Tags:
- last
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2014 06:23 AM
08-28-2014 06:23 AM
Re: Logging login actions in syslog
I need to get the login actions to our ArcSight logger. The ideal situation would be to get the login attempts, successfull or not, into the syslog as that is already being sent to the logger.