Set the auth.info facility.level in /etc/syslog.conf and point it to a log (/var/log/authlog for example). Ensure the log file exists. Restart syslog and attempt the log in.
Nov 28 20:20:43 goblin sshd[519]: [ID 800047 auth.info] input_userauth_request: illegal user carlschelin
Nov 28 20:20:43 goblin sshd[519]: [ID 800047 auth.info] Failed none for NOUSER from 192.168.1.9 port 51025 ssh2
Nov 28 20:20:43 goblin sshd[519]: [ID 800047 auth.info] Failed publickey for NOUSER from 192.168.1.9 port 51025 ssh2
Nov 28 20:20:44 goblin sshd[519]: [ID 800047 auth.info] Failed password for NOUSER from 192.168.1.9 port 51025 ssh2
Nov 28 20:20:45 goblin last message repeated 2 times
Nov 28 20:20:45 goblin sshd[519]: [ID 800047 auth.info] Connection closed by 192.168.1.9
I have updated my syslog.conf with the following auth.x entries (and cycled syslogd) :
auth.notice;auth.crit;auth.info /var/log/authlog
I see that login failure information is being captured, but the ID (or even a Generic ID) is NOT...
Nov 29 08:03:31 testBOX.com login: [ID 143248 auth.notice] Login failure on /dev/pts/2 from mybox.com
Nov 29 08:03:38 testBOX.com last message repeated 1 time
Nov 29 08:03:42 testBOX.com login: [ID 760094 auth.crit] REPEATED LOGIN FAILURES ON /dev/pts/2 FROM mybox.com
Nov 29 08:06:48 testBOX.com login: [ID 143248 auth.notice] Login failure on /dev/pts/2 from mybox.com
Nov 29 08:06:55 testBOX.com last message repeated 1 time
Nov 29 08:06:59 testBOX.com login: [ID 760094 auth.crit] REPEATED LOGIN FAILURES ON /dev/pts/2 FROM mybox.com
Nov 29 08:19:21 testBOX.com login: [ID 143248 auth.notice] Login failure on /dev/pts/2 from mybox.com
Nov 29 08:19:26 testBOX.com last message repeated 1 time
Nov 29 08:19:30 testBOX.com login: [ID 760094 auth.crit] REPEATED LOGIN FAILURES ON /dev/pts/2 FROM mybox.com
Also, does anyone know where I can get a list of valid facilities?
wondering what other options are out there...
thanks
It looks like the ID is captured from invalid ssh attempts, but NOT regular telnet attempts:
messages from telnet attempts as "test1" in authlog:
Nov 30 12:02:31 SERVER.x.com login: [ID 143248 auth.notice] Login failure on /dev/pts/3 from myBOX.com
Nov 30 12:02:38 SERVER.x.com last message repeated 1 time
Nov 30 12:02:42 SERVER.x.com login: [ID 760094 auth.crit] REPEATED LOGIN FAILURES ON /dev/pts/3 FROM myBOX.com
messages from ssh attempts as "test1" in authlog:
Nov 30 12:03:11 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Illegal user test1 from myBOX.com
Nov 30 12:03:11 SERVER.x.com sshd[1473]: [ID 800047 auth.info] input_userauth_request: illegal user test1
Nov 30 12:03:11 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Failed none for <invalid username> from myBOX.com port
35543 ssh2
Nov 30 12:03:11 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Failed gssapi-with-mic for <invalid username> from myB OX.com port 35543 ssh2
Nov 30 12:03:11 SERVER.x.com last message repeated 1 time
Nov 30 12:03:11 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Failed publickey for <invalid username> from myBOX.com
port 35543 ssh2
Nov 30 12:03:13 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while a
uthenticating: No account present for user
Nov 30 12:03:13 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> fro
m myBOX.com port 35543 ssh2
Nov 30 12:03:20 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while a
uthenticating: No account present for user
Nov 30 12:03:20 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> fro
m myBOX.com port 35543 ssh2
Nov 30 12:03:20 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while a
uthenticating: No account present for user
Nov 30 12:03:20 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> fro
m myBOX.com port 35543 ssh2
Nov 30 12:03:20 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Connection closed by myBOX.com
Invalid ssh connections are captured in /var/log/authlog (see above - from /etc/syslog.conf).
and
Invalid telnet connections are captured in /var/adm/loginlog?
# cat loginlog
test1:/dev/pts/2:Thu Dec 1 09:02:27 2005
test1:/dev/pts/2:Thu Dec 1 09:02:32 2005
test1:/dev/pts/2:Thu Dec 1 09:02:40 2005
Does anyone ever update there syslog.conf to consolidate this info into a single file?
/var/adm/loginlog is specific to login. login doesn't use syslog events so there's no real way to consolidate via syslog. You could point syslog to /var/adm/loginlog I suppose. You'd have two different output lines which might cause scripting problems. You could also script it out and into a common file.