I want to log tcp-wrapper events Solaris 10. I researched and saw that I could make a syslog entry in the hosts.deny, which I did below. After restarting syslog and having ssh blocking, I see nothing logging. I also do not get the email that should be generated. The file was taken from a working server.
I did put an auth.warning entry in syslog to the tcpwrapper log file which generated an entry when ssh was rejected, but the email wasn't received.
Any suggestins on why these emails might not be working and how to get sendmail logged? I see in the maillog that it is being blocked. NOTE: The sendmail being blocked is not happening at the same time this email notice of the violation is supposed to go out.
This is one of the lines in maillog
Jun 27 17:16:37 kristina sendmail[992]: [ID 801593 mail.notice] l5RLGbC3000992: tcpwrappers (localhost, 127.0.0.1) rejection
This is my hosts deny (abreviated).
sshd: ALL: spawn (echo "ssh violation from %h on %s using ssh - possible cracker ! Check /var/log/syslog on %s immediately!" | /usr/bin/mailx -r alert -s "tcpd violation from %h on %s - possible cracker!" csgonan) &
ALL: ALL: severity LOCAL3.notice
--------
here is my syslog.conf
# 6/26/07 - CSR added this to test logging tcpwrappers
local3.* ifdef(`LOGHOST', /var/log/tcpwrapperLog, @loghost)
-rw-r--r-- 1 root sys 0 Jun 26 15:57 tcpwrapperLog