System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Logging login actions in syslog

dirkdevos
Frequent Advisor

Logging login actions in syslog

Hi,

 

I know this should be simple but I am not getting the expected results. I am just getting into sys admin duties and I need to log every login to the server, successfull and failed ones. All I thought I needed was the "auth.*" line and I should be good to go. I have restarted the syslogd daemon and I have logged in multiple times.

 

I was expecting to see data in the auth.log file. I do however see my login attempts in the syslog.log file. Does anybody have any idea what I am doing wrong or am I missing some pieces.

 

mail.debug              /var/adm/syslog/mail.log
auth.*                  /var/adm/syslog/auth.log
*.info;mail.none        /var/adm/syslog/syslog.log
*.alert                 /dev/console
*.alert                 root
*.emerg                 *
#
# For Arcsight
*.notice                @server2

 

 

 

Aug 25 08:43:41 apached1 sshd[6472]: SSH: Server;Ltype: Version;Remote: xxx.xxx.xxx.170-36328;Protocol: 2.0;Client: PuTTY_Release_0.63
Aug 25 08:43:41 apached1 sshd[6472]: SSH: Server;Ltype: Kex;Remote: xxx.xxx.xxx.170-36328;Enc: aes256-ctr;MAC: hmac-sha2-256;Comp: none [preauth]
Aug 25 08:43:43 apached1 sshd[6472]: SSH: Server;Ltype: Authname;Remote: xxx.xxx.xxx.170-36328;Name: devosd [preauth]
Aug 25 08:43:43 apached1 sshd[6472]: reverse mapping checking getaddrinfo for workstation1.domain.com [xxx.xxx.xxx.170] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 25 08:43:46 apached1 sshd[6472]: Accepted keyboard-interactive/pam for devosd from xxx.xxx.xxx.170 port 36328 ssh2
Aug 25 08:43:47 apached1 inetd[6486]: registrar/tcp: Connection from localhost (127.0.0.1) at Mon Aug 25 08:43:47 2014
Aug 25 08:44:02 apached1 sudo:   devosd : TTY=pts/0 ; PWD=/home/devosd ; USER=root ; COMMAND=/usr/bin/su -
Aug 25 08:44:03 apached1 su: + 0 devosd-root

4 REPLIES
RJHall
Frequent Advisor

Re: Logging login actions in syslog

I think it can depend on the service. Secure shell should be getting logged. The ftpd requires the '-l' option on the service startup. Console login doesn't get logged.

 

Assuming you sig-HUP'd your syslogd daemon, of course...

dirkdevos
Frequent Advisor

Re: Logging login actions in syslog

What activity should I see and in which file would I find it. I assumed that the SSH login actions would be in the auth.log file but they are only in the syslog.log file. Is this correct?

 

We are getting ready for PCI 3.0 compliancy which means every login needs to be recorded as well as any new accounts being created or current accounts being changed.

Bill Hassell
Honored Contributor

Re: Logging login actions in syslog

Use the last and lastb commands. These show interactive logins and login failures (lastb).

Specify the length of the list with -# and be sure to use the -R option to show the hostname or IPaddr that logged in (or tried to login), like this:

 

# last -R -10
root     pts/0        10.10.21.179     Mon Aug 25 09:49   still logged in
root     pts/0        10.11.10.82      Fri Aug 22 16:44 - 16:44  (00:00)
root     pts/1        10.11.10.82      Fri Aug 22 16:44 - 21:42  (04:57)
root     pts/0        10.10.21.176     Thu Aug 21 08:48 - 09:12  (00:23)
root     pts/0        10.10.21.139     Mon Aug 18 09:15 - 14:23  (05:08)
root     pts/1        10.10.21.122     Sat Aug 16 21:44 - 22:54  (01:09)
root     pts/0        10.10.21.122     Sat Aug 16 21:33 - 22:54  (01:21)
root     console                       Fri Aug 15 21:17 - 21:25  (00:07)
reboot   system boot                   Fri Aug 15 21:01   still logged in
root     pts/0        10.10.21.143     Fri Aug 15 20:56 - 20:58  (00:02)

 



To see failed attempts, use lastb (same options):

 

# lastb -R -10
 root     console                       Wed Nov 17 07:14
 ssh      console                       Fri Oct  8 09:20
 root     console                       Fri Oct  1 07:21
 guest    console                       Mon Sep 27 14:20
 root     ftp          sg1              Wed Sep 22 12:07
 rooty    ftp          sg1              Wed Sep 22 12:06
 root     ftp          sg1              Wed Sep 22 12:06
 root     ftp          sg1              Wed Sep 22 12:06
 root     remshd       ftp              Mon Jul 26 16:29
 root     console                       Sat Jul 24 21:39
  oa oa o console                       Sat Jul 24 12:17
 blh      pts/ta       172.16.0.17      Fri Jul 23 21:53


 

Be careful with the lastb listing. People sometimes type their password instead of their login and it is recorded as a bad login. last can be run by any user but lastb is root only.

 



Bill Hassell, sysadmin
dirkdevos
Frequent Advisor

Re: Logging login actions in syslog

I need to get the login actions to our ArcSight logger. The ideal situation would be to get the login attempts, successfull or not, into the syslog as that is already being sent to the logger.