gentoo auditd not logging?
Steve Grubb
sgrubb at redhat.com
Mon Oct 27 13:06:59 UTC 2014
On Friday, October 24, 2014 03:15:39 PM Marko Weber | 8000 wrote:
> i installed audit on a gentoo box.
> in the auditd.log it shows logins via ssh:
>
> type=LOGIN msg=audit(1413987302.466:14): pid=27091 uid=0
> old-auid=4294967295 auid=0 old-ses=4294967295 ses=7 res=1
>
> but in the logs i cant see failed logins.
Actual failed logins would be a USER_LOGIN event. You should be able to run
aureport --start today --login --failed
to see them. Note that auditd is about like syslog in that it does not
generate events, it records them. You may need to add --enable-audit when
building a number of packages to get the right support in place.
-Steve
More information about the Linux-audit
mailing list