Disable all rules/config, you have to make sure the events are not deleted before you try to log it somewhere else. Use the logger (logger -p 'user.info') command to verify if your syslog is logging the events on the correct level. If it is there, sshd is not sending it.
[@ ~]# logger -h Usage: logger [options] [message] Options: -T, --tcp use TCP only -d, --udp use UDP only -i, --id log the process ID too -f, --file <file> log the contents of this file -h, --help display this help text and exit -S, --size <num> maximum size for a single message (default 1024) -n, --server <name> write to this remote syslog server -P, --port <port> use this port for UDP or TCP connection -p, --priority <prio> mark given message with this priority -s, --stderr output message to standard error as well -t, --tag <tag> mark every line with this tag -u, --socket <socket> write to this Unix socket -V, --version output version information and exit -----Original Message----- From: Wasil W. Siargiejczyk [mailto:[email protected]] Sent: Monday, October 19, 2020 8:59 AM To: Marc Roos; rsyslog Subject: Re: [rsyslog] sshd doesn't show failed login attempts in syslog on CentOS 7 that's the problem, it doesn't appear anywhere. ``` $ cat /tmp/rsyslog-test/fac_authpriv Oct 19 09:50:33 server04.company.name polkitd[18715]: Unregistered Authentication Agent for unix-process:8758:3414157689 (system bus name :1.3033641, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) ``` as for that line, I have it: ``` $ cat /etc/rsyslog.conf | grep authpriv *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure ``` 11.10.2020 15:57, Marc Roos пишет: > > This line you need to have somewhere. > > authpriv.* /var/log/secure > > What I always do to debug rsyslog, is create such a config > > [@ rsyslog.d]# cat /etc/rsyslog.d/00-debug-rsyslog.conf.bak > *.=debug /tmp/rsyslog-test/lev_debug > *.=info /tmp/rsyslog-test/lev_info > *.=notice /tmp/rsyslog-test/lev_notice > *.=warn /tmp/rsyslog-test/lev_warn > *.=err /tmp/rsyslog-test/lev_err > *.=crit /tmp/rsyslog-test/lev_crit > *.=emerg /tmp/rsyslog-test/lev_emerg > > auth.* /tmp/rsyslog-test/fac_auth > authpriv.* /tmp/rsyslog-test/fac_authpriv > cron.* /tmp/rsyslog-test/fac_cron > daemon.* /tmp/rsyslog-test/fac_daemon > ftp.* /tmp/rsyslog-test/fac_ftp > kern.* /tmp/rsyslog-test/fac_kern > lpr.* /tmp/rsyslog-test/fac_lpr > mail.* /tmp/rsyslog-test/fac_mail > news.* /tmp/rsyslog-test/fac_news > security.* /tmp/rsyslog-test/fac_security > syslog.* /tmp/rsyslog-test/fac_syslog > user.* /tmp/rsyslog-test/fac_user > uucp.* /tmp/rsyslog-test/fac_uucp > > Then you exactly know where what ends up. Make sure your authpriv is > not dropped somewhere and load it early. > > [@ rsyslog.d]# cat /etc/rsyslog.d/06-secure.conf > authpriv.* /var/log/secure _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
