On Friday, October 24, 2014 03:15:39 PM Marko Weber | 8000 wrote: > i installed audit on a gentoo box. > in the auditd.log it shows logins via ssh: > > type=LOGIN msg=audit(1413987302.466:14): pid=27091 uid=0 > old-auid=4294967295 auid=0 old-ses=4294967295 ses=7 res=1 > > but in the logs i cant see failed logins.
Actual failed logins would be a USER_LOGIN event. You should be able to run aureport --start today --login --failed to see them. Note that auditd is about like syslog in that it does not generate events, it records them. You may need to add --enable-audit when building a number of packages to get the right support in place. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
