[SOLVED] login log

I have been trying to set up fail2ban and it turns out that login attempts are not being logged to /var/log/auth.log cause it does not exist. Do you have this info going someplace else I can set fail2ban to examine?



Edited 1 time(s). Last edit at 07/29/2016 05:31AM by feas.

feas Wrote:
-------------------------------------------------------
> I have been trying to set up fail2ban and it turns
> out that login attempts are not being logged to
> /var/log/auth.log cause it does not exist. Do you
> have this info going someplace else I can set
> fail2ban to examine?

My roofs is set to use busybod-syslogd to log system messages to RAM (/tmp). Look into that to see if the auth.log was affected.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)

If you set it in busybox I would have to compile my own busybox with the settings to to write a log file elsewhere right?
Which may explain why I do not see a syslogd.conf anywhere to modify it.

So am I Cold... Hot... How do you remember to breathe?

EDIT:

So the work around I came up with is to add the following to rc.local: /sbin/syslogd -O /var/log/auth.log || exit 1

Is there a better way to do this other than recompile busy box with my settings?



Edited 1 time(s). Last edit at 07/28/2016 10:16PM by feas.

feas Wrote:
-------------------------------------------------------
> If you set it in busybox I would have to compile
> my own busybox with the settings to to write a log
> file elsewhere right?
> Which may explain why I do not see a syslogd.conf
> anywhere to modify it.
>
> So am I Cold... Hot... How do you remember to
> breathe?
>
> EDIT:
>
> So the work around I came up with is to add the
> following to rc.local: /sbin/syslogd -O
> /var/log/auth.log || exit 1
>
> Is there a better way to do this other than
> recompile busy box with my settings?

No need to recompile anything. As with any Linux daemon, there is a config file. Somewhere in the forum I have instruction how to switch back to logging to disk /var/log.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)

syslogd -h
syslogd: invalid option -- 'h'
BusyBox v1.22.1 (Debian 1:1.22.0-9+deb8u1) multi-call binary.

Usage: syslogd [OPTIONS]

System logging utility
(this version of syslogd ignores /etc/syslog.conf)

-n Run in foreground
-O FILE Log to FILE (default:/var/log/messages)
-l N Log only messages more urgent than prio N (1-8)
-S Smaller output
-R HOST[:PORT] Log to HOST:PORT (default PORT:514)
-L Log locally and via network (default is network only if -R)
-C[size_kb] Log to shared mem buffer (use logread to read it)

I will search the forum though

feas ,

Here is the config file for syslogd. If that SYSLOG_OPTS line is commented out like below, then the system logging will be back to disk (var/log).

cat /etc/default/busybox-syslogd

# Defaults for busybox-syslogd initscript
# This is a POSIX shell fragment sourced by /etc/init.d/busybox-syslogd

# Additional options that are passed to the daemons.  Default is to log
# to ring buffer (to be read with logread(1)) and drop duplicates.
#SYSLOG_OPTS="-C128"
KLOG_OPTS=""

The auth.log might or might not be affected by this. So you should just try this to log the disk. And see if after a reboot, the auth.log will be used properly.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)

Thanks! I will give it a go and let you know. Sorry to be pain.

EDIT###

It did not write to /var/log/auth.log

I just changed it back and will use rc.local.



Edited 1 time(s). Last edit at 07/29/2016 01:53AM by feas.