2

I was looking at the auth log of my server, and I was surprised to see that the times are offset. 

root@server:/home/admin# date
Tue Jan 12 09:51:36 CET 2016
root@server:/home/admin# tail /var/log/auth.log 
Jan 12 03:10:05 server sshd[18973]: Connection closed by 222.189.40.171 [preauth]
Jan 12 03:25:43 server sshd[18983]: reverse mapping checking getaddrinfo for 210.subnet222-124-218.static.astinet.telkom.net.id [222.124.218.210] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 12 03:25:43 server sshd[18983]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.124.218.210  user=root
Jan 12 03:25:45 server sshd[18983]: Failed password for root from 222.124.218.210 port 34563 ssh2
Jan 12 03:25:45 server sshd[18983]: Connection closed by 222.124.218.210 [preauth]
Jan 12 03:41:45 server sshd[18991]: Accepted publickey for admin from 217.111.52.130 port 35090 ssh2: RSA 0b:7a:fa:16:89:a2:ad:9c:06:7f:d1:c8:91:de:23:ae
Jan 12 03:41:45 server sshd[18991]: pam_unix(sshd:session): session opened for user admin by (uid=0)
Jan 12 03:42:38 server su[19013]: Successful su for root by admin
Jan 12 03:42:38 server su[19013]: + /dev/pts/0 admin:root
Jan 12 03:42:38 server

This the time zone the server has configured:

cat /etc/timezone 
Europe/Berlin

Maybe it is helpful to know that the server is a VZ guest.

Here is what the commands show in a row:

$ su -c "date && tail -n 5 /var/log/auth.log"
Password: 
Tue Jan 12 10:33:24 CET 2016
Jan 12 03:41:45 server sshd[18991]: Accepted publickey for admin from 217.111.52.130 port 35090 ssh2: RSA 0b:7a:fa:16:89:a2:ad:9c:06:7f:d1:c8:91:de:23:ae
Jan 12 03:41:45 server sshd[18991]: pam_unix(sshd:session): session opened for user admin by (uid=0)
Jan 12 03:42:38 server su[19013]: Successful su for root by admin
Jan 12 03:42:38 server su[19013]: + /dev/pts/0 admin:root
Jan 12 03:42:38 server su[19013]: pam_unix(su:session): session opened for user root by admin(uid=1000)
oz123
  • 1,258
  • 5
  • 17
  • 34
  • At the moment, all we can see is a current date, plus some earlier syslogs. If you'd like us to examine an offset, we need to see the same event in both frames. Try `sudo date`, or failing that `/bin/su -c date`, *then* the last few lines from `auth.log`. – MadHatter Jan 12 '16 at 09:30
  • @MadHatter, that is exactly the problem the logs are not earlier... the date written there is wrong – oz123 Jan 12 '16 at 09:32
  • 1
    I understand what you're telling us, but I want you to **show** us. **Edit**: OK, you have, thanks. I notice that, although you've generated a loggable event, no new line has appeared in your logs (compared with the chunk above). Is it possible that syslog has stopped logging? Have you tried restarting it? – MadHatter Jan 12 '16 at 09:35

1 Answers1

2

Apparently this is a known issue.

I fixed this by restarting rsyslog.

oz123
  • 1,258
  • 5
  • 17
  • 34
  • 3
    Normal best practice would be to confirm in comments that the person who'd been helping you had led you to the answer, and inviting *them* to write it up. But I'm glad you got on top of what was happening! – MadHatter Jan 12 '16 at 10:49
  • restart syslog doesn't work for me, i use inetutils-syslogd. – netawater Dec 20 '21 at 12:27