Re: gentoo auditd not logging?
On Friday, October 24, 2014 03:15:39 PM Marko Weber | 8000 wrote:
i installed audit on a gentoo box.
in the auditd.log it shows logins via ssh:
type=LOGIN msg=audit(1413987302.466:14): pid=27091 uid=0
old-auid=4294967295 auid=0 old-ses=4294967295 ses=7 res=1
but in the logs i cant see failed logins.
Actual failed logins would be a USER_LOGIN event. You should be able to run
aureport --start today --login --failed
to see them. Note that auditd is about like syslog in that it does not
generate events, it records them. You may need to add --enable-audit when
building a number of packages to get the right support in place.
-Steve