/var/log/auth.log not logging failed ssh attempts

Question

I'm trying to go failed (either incorrect username, password, or both) on my server.

I changed /etc/ssh/sshd_config from

# Logging
SyslogFacility AUTH 
LogLevel INFO

to

# Logging
SyslogFacility AUTH 
LogLevel VERBOSE

and have since tried multiple ssh attempts with both existing and non-exisiting users with random passwords thus failing. When checking /var/log/auth.log nothing appears and it is entirely blank.

What am I missing? Does some other process need to also be install and running on my system? I'm running Ubuntu.

Any help or guidance on this matter is more than welcome.

Thanks

What does your syslog configuration look like? This would probably be a file at `/etc/syslog.conf` or `/etc/rsyslog.conf` or `/etc/rsyslog.d/*.conf` — Stefan Lasiewski, Dec 04 '12 at 00:03
@StefanLasiewski the first 2 are empty and `/etc/rsyslog.d/*.conf` says "$AddUnixListenSocket /var/spool/postfix/dev/log" — edev.io, Dec 04 '12 at 00:12
@Georgejnr : If that is the case, it appears that the syslog configuration on your system is broken. There is normally a syslog file under /etc/syslog.conf or /etc/rsyslog.conf , and normally there should be more then one file under /etc/rsyslog.d/*.conf . Does `ps aux` show a syslog process? — Stefan Lasiewski, Dec 04 '12 at 00:33
@StefanLasiewski no it is not listed in ps aux. The previous sysadmin went a little rogue and broke a few things I believe on purpose. Think this could be part of it? How do I go about fixing this issue? — edev.io, Dec 04 '12 at 00:42
Try reinstalling rsyslog. Might need to 'remove', 'purge' then reinstall. See http://superuser.com/questions/102449/how-to-reinstall-a-package-using-apt-get — Stefan Lasiewski, Dec 04 '12 at 00:44
I'm going to have to continue this tomorrow at work. The reinstall after purge is failing `invoke-rc.d: initscript rsyslog, action "start" failed. dpkg: error processing rsyslog (--configure)` Thanks for your time and I will update once i've had a play :-) — edev.io, Dec 04 '12 at 01:01
Hi I installed syslog-ng and that has worked if you want to create an answer around that... thanks for your help and time — edev.io, Dec 04 '12 at 10:12

mdpc · Accepted Answer · 2012-12-03T22:34:19.223

7

The LogLevel generally (apparently application dependent) refers to one of the defined severity levels supported by the system logging process (syslog). So change it back and restart the sshd server.

Now if you are not getting the output, you need to look at the system /etc/syslog.conf and see what MINIMUM loglevel the AUTH type of requests are being logged and to what file. The errors might be going to a different log file. OR you might not be logging these errors due to the syslog.conf configuration for the AUTH service. For more information consult the man pages on and syslog.conf.

edited Dec 03 '12 at 22:34

answered Dec 03 '12 at 22:25

mdpc

11,856
28
53
67

From [sshd_config(5)](http://linux.die.net/man/5/sshd_config) LogLevel: Gives the verbosity level that is used when logging messages from sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, *VERBOSE*, DEBUG, DEBUG1, DEBUG2, and DEBUG3. – bonsaiviking Dec 03 '12 at 22:28
1

my /syslog.conf is empty. I must add that I am taking over someone else's system and it seems that they didn't do a very good job of setting it up. Does the lack of syslog.conf mean that I am missing a service? (thanks for your response) – edev.io Dec 03 '12 at 22:31
File is in /etc......it is possible that you might not be logging anything. – mdpc Dec 03 '12 at 22:33
About VERBOSE in sshd_config....my mistake, but its not a syslog log level which is commonly asked for in many of the programs I have dealt with. – mdpc Dec 03 '12 at 22:33
leaving VERBOSE still in my sshd_config and running sudo /etc/init.d/ssh restart it still isn't logging. Am I being dumb about something? – edev.io Dec 03 '12 at 22:40
is there a lag? – edev.io Dec 03 '12 at 22:41
Then you should address it by close examination and modification of your /etc/syslog.conf file. – mdpc Dec 03 '12 at 22:43
let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/6608/discussion-between-georgejnr-and-mdpc) – edev.io Dec 03 '12 at 22:50
What is the full solution ? If we haven't syslog ? – Sky Voyager Aug 20 '18 at 19:32

score 7 · Answer 2 · answered Sep 09 '14 at 03:06

7

When I had the same problem on Debian, I found I had to restart rsyslogd:

/etc/init.d/rsyslog restart

(Your syslogd program may vary.)

The it started writing to /var/log/auth.log again.

Perhaps it had stopped logging after a disk full event, I'm not sure.

See also: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1059854/comments/9

answered Sep 09 '14 at 03:06

Sam Watkins

292
3
7

1

This worked for me, but using systemctl instead to restart the syslog service (Debian sid using inetutils-syslogd). `systemctl restart inetutils-syslogd.service` – Brian Minton Sep 06 '18 at 15:18

score 4 · Answer 3 · answered Aug 09 '17 at 14:59

In my case the problem was with the ownership of the /var/log/auth.log file. It was owned by root:root but must be syslog:adm. Change with

sudo chown syslog:adm /var/log/auth.log

It appears to be a common problem with the newly created systems - there were more log files, which had this issue.

score 3 · Answer 4 · edited Apr 11 '16 at 13:51

3

In my case there was no diskspace on left on the root file-system /, which you can check for with df -h

edited Apr 11 '16 at 13:51

HBruijn

77,029
24
135
201

answered Apr 11 '16 at 12:42

yellowsir

131
6

Derrick Johnson · Answer 5 · 2023-04-19T01:22:14.853

You could use a daemon like sshlog (I'm a contributor for this project) which monitors successful and failing ssh requests as well as the commands executed. The nice thing about this approach is that you can configure how you would like these events logged/alerted.

For example, you could configure it to report all failed login attempts and send that to a remote syslog, and send any sudo attempts to Slack alerts.

In this case the config would look like:

events:
  - event: log_all_failed_connections
    triggers:
      - connection_auth_failed
    actions:
      - action: syslog_to_localhost
        plugin: syslog_action
        server_address: remote_server_addr
        port: 514
        udp: True
        output_json: False
        program_name: sshlog

  - event: sudo_successful
    triggers: [ 'command_finish']
    filters:
      command_name: 'sudo'
      command_exit_code: '= 0'
    actions:
      - action: send_to_slack
        plugin: slack_action
        slack_webhook_url: 'https://hooks.slack.com/services/x/y/z'

More config examples are available here: https://github.com/sshlog/agent/tree/master/daemon/config_samples

/var/log/auth.log not logging failed ssh attempts

5 Answers5

Linked