Home / server / Questions / 896138
Accepted
trueCamelType
Asked: 2018-02-08 09:15:15 +0800 CST

Why is my auth.log file empty?

  • 772

I have an ubuntu 14.04 server running a service, and I'm currently setting up some logging visualization, but I noticed my /var/log/auth.log is empty.

I assumed it wouldn't have much since I've disabled ssh connections other than using an ssh key. But, I did expect there to be sshd logs. Is there somewhere else that I would see the logins using ssh keys, or is there something else happening I'm unaware of?

My ultimate goal is to have a log of every time someone tries to login using the key, or without the key.

EDIT1

I see that there are auth.log backups, but they aren't recording ssh attempts, or successful ssh logins using keys. They only show CRON jobs.

I also elevated the sshd_config logging level to VERBOSE instead of INFO.

ssh

3 Answers

  1. Best Answer

    In Ubuntu systems rsyslog handles system logging, redirecting output from several daemons (such as sshd) to their respective logs according to its config.

    There are several config files that could affect the usage of the log file. I would start by debugging rsyslog, first checking its config at /etc/rsyslog.d (more likely, 50-default.conf) and looking for a line that should look something like this:

    auth,authpriv.*         /var/log/auth.log

    If it's not set up to /var/log/auth.log, then you just found the problem, the output is going somewhere else. If not...

    Next, check that rsyslog is actually running with systemctl status rsyslog, if it's not, it is possible something disabled it or it's not even present as a service, you can re enable (if it's there) the daemon with systemctl enable rsyslog.

    Also, your sshd config could be either disabling logging completely or overwriting rsyslog's configuration, check for SyslogFacility inside your sshd.conf, which could be redirecting the messages to another rsyslog facility, by default it should be AUTH (as the line in the first step config). Of course, LogLevel is also important, but you got it in VERBOSE, so that shouldn't be the problem.

    For debugging sshd, you could try putting it on debug mode with -d, as stated on man:

    Debug mode. The server sends verbose debug output to standard error, and does not put itself in the background. The server also will not fork and will only process one connection. This option is only intended for debugging for the server. Multiple -d options increase the debugging level. Maximum is 3.

    Be careful while tweaking sshd if you are on a sshd connection as you could, of course, end up locked off the remote machine.

    • 9

  2. Another reason could be wrong ownership of the file.

    Check the ownership of the file - /var/log/auth.log

    If it's not owned by syslog:adm , then change it to syslog:adm

    sudo chown syslog:adm /var/log/auth.log

    This fixed the issue for me in Ubuntu.

    • 4

  3. If you have no rsyslog, it may be because your ubuntu is "minimized", and you usually see this message at login:

    This system has been minimized by removing packages and content that are not required on a system that users do not log into.

    To restore this content, you can run the 'unminimize' command.

    So just run unminimize and confirm.

    • 1