Discussion:
[arch-general] Missing auth.log
Maxe
2018-11-16 00:43:17 UTC
Permalink
Hi,

One of our systems, running ARCH Linux, was compromised (a
non-privileged account, fortunately). But, we could not find
/var/log/auth.log or similar for investigation. Does the journal keep
track of login attempts? It seems that ARCH does not run [r]syslogd.

Best regards,
Maxe
***@nuts-edu.no
Leonid Isaev via arch-general
2018-11-16 01:00:57 UTC
Permalink
Hi,
One of our systems, running ARCH Linux, was compromised (a non-privileged
account, fortunately). But, we could not find /var/log/auth.log or similar
for investigation. Does the journal keep track of login attempts? It seems
that ARCH does not run [r]syslogd.
If you want authpriv messages, then run "journalctl SYSLOG_FACILITY=10". See
https://en.wikipedia.org/wiki/Syslog#Facility for mapping between numerical and
mnemonic facility IDs. Oh, and do install syslog-ng :)

Cheers,
--
Leonid Isaev
Maxe
2018-11-17 00:56:47 UTC
Permalink
Hi,
Post by Leonid Isaev via arch-general
If you want authpriv messages, then run "journalctl
SYSLOG_FACILITY=10". See
https://en.wikipedia.org/wiki/Syslog#Facility for mapping between
numerical and mnemonic facility IDs. Oh, and do install syslog-ng :)
Yes.
journalctl allows access to the logs from sshd, `journalctl -u sshd`
Thanks for your suggestions! They seem to work nicely.

Best regards,
Maxe

Jonathon Fernyhough
2018-11-16 01:04:02 UTC
Permalink
Post by Maxe
Hi,
One of our systems, running ARCH Linux, was compromised (a
non-privileged account, fortunately). But, we could not find
/var/log/auth.log or similar for investigation. Does the journal keep
track of login attempts?
Yes.

journalctl allows access to the logs from sshd, `journalctl -u sshd`

Also,

https://classic.startpage.com/do/search?q=arch+auth.log

points to:

https://wiki.archlinux.org/index.php/systemd#Facility
Post by Maxe
# journalctl SYSLOG_FACILITY=10
which is worth a go.
Loading...