Just took a look at my server auth.log file for the first time in a few days, and noticed that it has no entries before 6:47 this morning.
This is really odd because I dumped that logfile to my laptop when I looked at it a couple of days before, and it was well over 2400 lines of cron jobs, break-in attempts etc.
When I ran cat /var/log/auth.log just now - I was expecting thousands of lines, and got about 50 lines of cron jobs, one break-in attempt and my latest ssh in.
Why has this happened? - Does Ubuntu periodically empty this file? Have I been hacked?
There is a cronjob in /etc/cron.daily (in CentOS anyway, may be different in Ubuntu) to run a tool called logrotate, which reads configuration from /etc/logrotate.d and handles the aging of system logs, etc.
Typically, a weeks worth of logs are kept, rotated once daily. In modern implementations, you will see other files named
/var/log/auth.log.[date]. Try doing:There's log rotation, which happens typically in the morning (I believe the default is at or shortly after 06:25). It looks like you pulled the file shortly after logrotate ran.
Depending on the logrotate configuration, the previous day's file will be named /var/log/auth.log.1. Look for it there.
The logrotate configuration is in /etc/logrotate.d. The cron job for logrotate is in /etc/cron.daily, with scripts in that directory being run from /etc/crontab.