This line you need to have somewhere. authpriv.* /var/log/secure
What I always do to debug rsyslog, is create such a config [@ rsyslog.d]# cat /etc/rsyslog.d/00-debug-rsyslog.conf.bak *.=debug /tmp/rsyslog-test/lev_debug *.=info /tmp/rsyslog-test/lev_info *.=notice /tmp/rsyslog-test/lev_notice *.=warn /tmp/rsyslog-test/lev_warn *.=err /tmp/rsyslog-test/lev_err *.=crit /tmp/rsyslog-test/lev_crit *.=emerg /tmp/rsyslog-test/lev_emerg auth.* /tmp/rsyslog-test/fac_auth authpriv.* /tmp/rsyslog-test/fac_authpriv cron.* /tmp/rsyslog-test/fac_cron daemon.* /tmp/rsyslog-test/fac_daemon ftp.* /tmp/rsyslog-test/fac_ftp kern.* /tmp/rsyslog-test/fac_kern lpr.* /tmp/rsyslog-test/fac_lpr mail.* /tmp/rsyslog-test/fac_mail news.* /tmp/rsyslog-test/fac_news security.* /tmp/rsyslog-test/fac_security syslog.* /tmp/rsyslog-test/fac_syslog user.* /tmp/rsyslog-test/fac_user uucp.* /tmp/rsyslog-test/fac_uucp Then you exactly know where what ends up. Make sure your authpriv is not dropped somewhere and load it early. [@ rsyslog.d]# cat /etc/rsyslog.d/06-secure.conf authpriv.* /var/log/secure -----Original Message----- From: Wasil W. Siargiejczyk via rsyslog [mailto:[email protected]] Sent: zondag 11 oktober 2020 10:51 To: [email protected] Cc: Wasil W. Siargiejczyk Subject: [rsyslog] sshd doesn't show failed login attempts in syslog on CentOS 7 after some tinkering with rsyslog, sshd no longer logs information about failed login attempts to syslog for some reason. I've returned both sshd and rsyslog configs back to where it was (I've checked with command like `rpm -V $(rpm -qf /etc/ssh/sshd_config)` ). however there is still nothing in /var/log/secure, and journalctl -u sshd shows only: ``` Oct 02 12:59:29 server04.company.name systemd[1]: Starting OpenSSH server daemon... Oct 02 12:59:29 server04.company.name systemd[1]: Started OpenSSH server daemon. ``` (in case you're wondering: I made failed login attempt to check this.) is this some queue issue? how could I fix it (I'm okay with just clearing the queue altogether)? _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
