/var/adm/loginlog empty
I am trying to capture failed login attempts. I have created /var/adm/loginlog. I have tried permissions of 600 and 644. It is owned by root:sys. /etc/default/login is set SYSLOG_FAILED_LOGINS=0. /etc/syslog.conf has auth.notice going to /var/log/authlog with tabs used between the two statements. I have kill -HUP process ID of syslog. The machine has benn shutdown numerous times, it is a test box. Failed logins are captured in /var/log/authlog but nothing is ever written to /var/adm/loginlog. It remains 0 size. I have issued pkgchk -f -n -p /etc/default/login and logadm -w connlog -C 13 /var/adm/loginlog. /var/adm/loginlog remains 0. Any suggestions would be appreciated.
[686 byte] By [
rdrollin] at [2007-11-26 9:17:46]
# 1
Hmm, SYSLOG_FAILED_LOGINS only tells login when to log failed login attempts to syslog, if you set it to 0, it will syslog all failed logins to syslog using the priority auth.notice.
I guess that your syslog.conf contains a record which logs auth.notice to /var/log/authlog .
The /var/adm/loginlog is different, if it exists, login will log to the file after five unsuccessful logins, regardless of syslog.
7/M.
# 2
Thanks for your help.
The file does exist. I attempted 5 incorrect logins with a valid user ID. Nothing was logged to /var/adm/loginlog. /var/log/authlog did record the failed attempts. In searches I found just touch the file, set the permissions, and edit /etc/default/login. I was following the recommendation of CIS.
I am confused.
Thanks again for your suggestion.
# 4
ls -l /var/adm/loginlog
rw- 1 root sys 0 Aug 3 10:00 /var/adm/loginlog
I have tried changing this permission to rw-r--r-- with the same result.
I was using PuTTY to create the failed logins.
I just found a step by step guide from SANS to confirm what I had been trying. It said touch the file set perms & ownership. Create a line in /etc/syslog.conf auth.info/var/log/authlog.
It should be very simple. I am not sure what I am overlooking.
Thanks again.
# 5
It should be rw-- and root/sys.
I think the thing you are overlooking is that the /var/adm/loginlog file is written to by the login program, a program which is not used by sshd.
Hence, this file will be written to after 5 unsuccessful logins with telnet, rsh or on the console. But not by sshd, it uses different logging mechanisms.
7/M.
