/var/log/message or /var/log/secure for ssh inform...

jose_maria_gonz · ‎08-16-2009

Hi There,

I just wanted to confirm with you if ssh information is recorded onto /var/log/message or /var/log/secure.

According to VMware documentation ssh activity is recorded onto /var/log/secure but my environment shows the opposite. None ssh activity was recorded in /var/log/secure

# tail -f /var/log/messages

Aug 16 11:25:14 esx1 sshd[2794]: Connection from 192.168.147.128 port 2725

Aug 16 11:25:20 esx1 sshd[2794]: Accepted password for root from 192.168.147.128 port 2725 ssh2

Aug 16 11:25:20 esx1 sshd(pam_unix)[2794]: session opened for user root by (uid=0)

Saludos,

Jose Maria Gonzalez,

-

http://www.JmGVirtualConsulting.com

http://www.josemariagonzalez.es

VMware vExpert 2009

Co-autor del Libro <a href="http://www.amazon.com/Administrando-VMware-Recovery-Manager-Actualizaci%C3%B3n/dp/B002AD5KUA/ref=sr_1_3?ie=UTF8&s=books&qid=1244230201&sr=8-3" target="_blank">VMware Site Recovery Manager 1.0 update1</a>

-

If you find this or any other answer useful please consider awarding points by marking the answer helpful or correct.

<a href="http://feedproxy.google.com/ElBlogDeVirtualizacionEnEspanol">!http://feedproxy.google.com/ElBlogDeVirtualizacionEnEspanol.2.gif!</a>

AndreTheGiant · ‎08-16-2009

The file is /var/log/message.

In /etc/ssh/sshd_config you can see that log go into "auth" facility.

But in /etc/syslog.conf there is a specific file for "auth" (that is different from "authpriv"), so the valid match is "*.info" -> /var/log/message

Andre

Andrew | http://about.me/amauro | http://vinfrastructure.it/ | @Andrea_Mauro

jose_maria_gonz · ‎08-16-2009

Thanks Andre for your prompt reply and for confirming that, much appreciated. I guess VMware should them amend the official documentation for the Deploy, Secure and Analyze training material. (see Module 8: slide 16.