I am running a VPS with CentOS 7.
After a clean install, I correctly saw failed login attempts and service restarts appearing in /var/log/secure like so:
Jul 8 13:55:32 vps unix_chkpwd[2561]: password check failed for user (root)
...
Jul 8 14:03:21 vps sshd[13388]: Server listening on 0.0.0.0 port 22.
Jul 8 14:03:21 vps sshd[13388]: Server listening on :: port 22
After running sudo yum update, the logging to /var/log/secure suddenly stopped.
However, journalctl -u sshd still shows failed login attempts and the restarting of the services.
rsyslog.conf has not changed:
[midas@vps ~]$ ls -la /etc/rsyslog.conf
-rw-r--r--. 1 root root 3232 7 sep 2015 /etc/rsyslog.conf
and correctly redirects authpriv.* logs to /var/log/secure:
#### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log
I actually did the clean install to retrace where this problem was coming from. Any help would be appreciated as I currently have no clue where the logs are being stored apart from the journal.
