Page MenuHomeVyOS Platform

no authorization logs
Closed, ResolvedPublicBUG

Description

command: show log authorization
shut be show authorization log but from time install 1.2.0-rc4 is not logging

I set in configuration facility authorization to debug and still logging nor work

var/log/auth.log is not is not changed.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.2.0-rc4 and VyOS 1.2.0-rc5
Why the issue appeared?
Will be filled on close

Revisions and Commits

Event Timeline

madkazas updated the task description. (Show Details)
madkazas changed Version from VyOS 1.2.0-rc5 to VyOS 1.2.0-rc4 and VyOS 1.2.0-rc5.

Hi @madkazas,

logins or failed logins are already logged in it's default configuration.

e.g.

set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'

Successful login:

Nov 4 18:01:40 hostname sshd[2724]: Accepted password for vyos from 192.168.0.10 port 51600 ssh2
Nov 4 18:01:40 hostname sshd[2724]: pam_unix(sshd:session): session opened for user vyos by (uid=0)

Failed login (wrong password):

Nov 4 18:02:04 hostname sshd[2812]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.10 user=vyos
Nov 4 18:02:06 hostname sshd[2812]: Failed password for vyos from 192.168.0.10 port 51602 ssh2
Nov 4 18:02:08 hostname sshd[2812]: Connection closed by 192.168.0.10 [preauth]

Please keep in mind, that all syslog messages got per default into /var/log/messages and can be picked up there.
You can also define your own destinations and it's logfile rotation (set system syslog file ... for instance), feel free to do that if you'd like to filter all logins into a separate file.

Can you please check that you see the login/failed logins in /var/log/messages?

thx

hagbard changed the task status from Open to On hold.Nov 4 2018, 6:08 PM
madkazas changed the task status from On hold to Open.EditedNov 4 2018, 9:22 PM

Hi
In /var/log/messages I see this messages (succes and faile login)

but command:

show log authorization

not read /var/log/messages - is read /var/log/auth.log
then command above never see any new messages

and maybe auth.loh should be deleted during building ... otherwise introduces misunderstanding
PS. Default configuration logrotate now have compress = off , is bug or shut be =on default ?

syncer triaged this task as Normal priority.Nov 4 2018, 10:44 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc7); removed VyOS 1.2 Crux.

I see.
Compress was never enabled, because of the 'show log' command.
Theoretically, it could be done but I'm not sure if it is really needed due to it's short rotation lifetime.
For the auth log issue, I need to discuss this internally first, I recommend to create your own file with the command I mentioned above if you want to have it logged separately.
Let me know if you need help accomplishing that.

https://github.com/vyos/vyatta-op/commit/3f33e3d1ce4e4a8dbcbdabd96763c87dfa4e2cff
Uses now journalctl to display all og messages as well as separate auth/authpriv messages.

hagbard added a commit: Restricted Diffusion Commit.Nov 7 2018, 9:41 PM
hagbard added a commit: Restricted Diffusion Commit.