Auth.log file not recording

baris35 · May 17, 2023, 7:39pm

Hello All,
My question is regarding auth.log file under ubuntu20.04
After surfing on google, I read some threads but could not have found matching answer for my case.
Some says "you can use journal-ctl command to see ssh logs" but what I'd like to do is to save all ssh actions into auth.log file.
I also check rsyslog.conf under etc directory but can't find an answer.
Please let me know how to fix it.

root@tester:/var/log# ls -la auth.log
-rw-r----- 1 syslog adm 0 May 17 19:09 auth.log

systemctl status rsyslog returns:

● rsyslog.service - System Logging Service
     Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2023-05-13 20:46:29 UTC; 3 days ago
TriggeredBy: ● syslog.socket
       Docs: man:rsyslogd(8)
             https://www.rsyslog.com/doc/
   Main PID: 942 (rsyslogd)
      Tasks: 4 (limit: 115717)
     Memory: 20.4M
     CGroup: /system.slice/rsyslog.service
             └─942 /usr/sbin/rsyslogd -n -iNONE

nano /etc/rsyslog.d/50*conf
I can see below lines inside the 50*conf file.

auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog

I suppose above notation is correct.

Thank you
Boris

ScottieH · May 17, 2023, 9:15pm

You are configured the same way I am (although I am on Red Hat).
Which user is running rsyslogd? On my system, rsyslogd is running as root, and the file is owned by root.

Your file is owned by 'syslog'. Is syslog the user that started rsyslog?

The daemon started on May 13, and the timestamp on the file id May 17th. It may have rotated off. Is there a file named auth.log* (or how ever log rotate is configured.) Maybe the old logs aren't saved?

authlog only updates with an authentication event (logging in) is it possible there has been no authorization activity?

baris35 · May 17, 2023, 9:54pm

Hello @ScottieH,
Thank you for your return.
Here you are:
ls -la *.gz gives:

-rw-r--r-- 1 root   adm  20441 May 13 20:31 dmesg.1.gz
-rw-r--r-- 1 root   adm  20530 May 13 19:43 dmesg.2.gz
-rw-r----- 1 syslog adm 151266 May 16 00:00 syslog.2.gz
-rw-r----- 1 syslog adm 310016 May 15 00:00 syslog.3.gz

There is only one auth.log file inside /var/log directory.

ls *log* returns:

alternatives.log  cloud-init.log         faillog         lastlog   syslog.2.gz           ubuntu-advantage-timer.log
auth.log          cloud-init-output.log  fontconfig.log  syslog    syslog.3.gz
bootstrap.log     dpkg.log               kern.log        syslog.1  ubuntu-advantage.log

authlog only updates with an authentication event (logging in) is it possible there has been no authorization activity?

I have generated a failed login attempt now but auth.log is yet empty.

baris35 · May 18, 2023, 7:49am

Hello Dear @ScottieH,
Somehow it started recording all ssh activities again.
Thank you for your support
Kind regards
Boris

system · March 13, 2024, 7:49am

This topic was automatically closed 300 days after the last reply. New replies are no longer allowed.