Getting secure.log to Log authentication info
If you've ever left the Console application open on your Mac OSX Server you've probably seen that you can view many different logs that the system runs pretty much real time. I usually leave the Console open with three windows: one for system log, one for console log and one for secure.log.If you've ever left the Console application open on your Mac OSX Server you've probably seen that you can view many different logs that the system runs pretty much real time. I usually leave the Console open with three windows: one for system log, one for console log and one for secure.log.
The problem that I had was that secure log would tell me that there was something screwy going on but wouldn't tell me who was doing it. In other words the system doesn't append IP addresses to the secure.log by default. This is something you must do via the terminal.
Today I'll show you the steps I used to get secure.log to show me who's trying to force their way into my servers, and believe me, there are lots of crazies out there doing this stuff.
These steps should work on Mac OSX Server 10.4.x and up and I'm pretty sure that they'll work for other versions as well. As always, use at your own risk.
Here's what ya do:
Open the terminal
Type this command:
sudo pico /etc/syslog.conf
Edit the section that looks like this:
authpriv.*;remoteauth.crit
add "auth.info" to the end of that line like this:
authpriv.*;remoteauth.crit;auth.info
This little snippet tells syslogd to start writing all that authentication info to the log that you've been missing.
control-x to save and exit
then run this command
ps -auwwwx | grep syslogd
you'll see the terminal return something like:
root 40 0.0 -0.0 27284 488 ?? Ss 16Oct06 1:15.57 /usr/sbin/syslogd
root 24559 0.0 -0.0 27812 264 p2 U+ 8:16AM 0:00.00 grep syslogd
find the process thats running /usr/sbin/syslogd which in this case is 40, then enter:
kill -HUP 40
This command restarts syslogd so it can reload the config file we just edited.
Now IP number and attempted break ins will all be logged in secure.log for you to view and act on appropriately.
The problem that I had was that secure log would tell me that there was something screwy going on but wouldn't tell me who was doing it. In other words the system doesn't append IP addresses to the secure.log by default. This is something you must do via the terminal.
Here's what ya do:
Open the
Useful? Then Digg It.
Del.icio.us | Technorati Tags: console, mac osx server, osx server tutorial, osx tips, secure.log, syslogd