Capture Failed Login Attempts 1

[tmorgan2512]

I need to audit failed login attempts on a new Solaris 10 server. Most logins are via SSH (putty). I have uncommented the line below in /etc/default/login and changed its value to =0.

SYSLOG_FAILED_LOGINS=0

Additionally I've created a loginlog file with the following permissions:

-rw------- 1 root sys 0 Dec 12 08:52 loginlog

Anything else I need to do? Restart syslog service?
I can't get anything to be recorded?

Thanks for the help

 

[Annihilannic]

Have you added any references to this new log file to /etc/syslog.conf? If not, syslog doesn't know that it exists... and doesn't know what kind of stuff you want to log in it.

You may wish to just use the preconfigured (but commented out) entry for /var/log/authlog. After any changes to /etc/syslog.conf you will need to pkill -HUP syslogd to make it re-read the configuration file.

Annihilannic.

 

[tmorgan2512]

Worked like a charm. It's logging to the /var/log/authlog file.