Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Trying to get /var/adm/loginlog to work

1,368 views
Skip to first unread message

cnurb

unread,
Oct 21, 2009, 3:45:19 PM10/21/09
to
Running Solaris 10 on a Sparc and I want to log all failed login
attempts to
/var/adm/loginlog.

Found the an article from sun and did:

- Type touch /var/adm/loginlog and press Return.
- Type chmod 700 /var/adm/loginlog and press Return.
- Type chgrp sys /var/adm/loginlog and press Return.

Also edited /etc/syslog.conf and added:

auth.notice;auth.crit;auth.info /var/adm/loginlog

Restarted syslog service:
svcadm disable svc:/system/system-log:default
svcadm enable svc:/system/system-log:default

Still nothing in loginlog.

Any ideas?
Carl

Richard B. Gilbert

unread,
Oct 21, 2009, 3:55:19 PM10/21/09
to

You have given write access ONLY to root. I somehow doubt that user
logins are running as root!

cnurb

unread,
Oct 21, 2009, 4:06:49 PM10/21/09
to
On Oct 21, 3:55 pm, "Richard B. Gilbert" <rgilber...@comcast.net>
wrote:

/var/adm/login log is a system ( root) monitoring process. Users
logins shouldn't be writing
to it. I'm assuming that it takes the place of /var/adm/messages ( or
something like
that) which only root writes to.

cnurb

unread,
Oct 21, 2009, 4:06:57 PM10/21/09
to
On Oct 21, 3:55 pm, "Richard B. Gilbert" <rgilber...@comcast.net>
wrote:

/var/adm/login log is a system ( root) monitoring process. Users

cnurb

unread,
Oct 21, 2009, 4:07:07 PM10/21/09
to
On Oct 21, 3:55 pm, "Richard B. Gilbert" <rgilber...@comcast.net>
wrote:

/var/adm/login log is a system ( root) monitoring process. Users

cindy

unread,
Oct 21, 2009, 4:25:01 PM10/21/09
to

Hi Carl,

Only the first 3 steps above should be required to log failed login
attempts,
according to our documentation, here:

http://docs.sun.com/app/docs/doc/816-4557/secsys-1?a=view

However, I see that loginlog entries are only written after the fifth
failed attempt,
like this:

# more /var/adm/loginlog
cindys:/dev/pts/3:Wed Oct 21 14:04:52 2009
cindys:/dev/pts/3:Wed Oct 21 14:05:02 2009
cindys:/dev/pts/3:Wed Oct 21 14:05:12 2009
cindys:/dev/pts/3:Wed Oct 21 14:06:11 2009
cindys:/dev/pts/3:Wed Oct 21 14:06:22 2009

This behavior is described in the doc section:

The loginlog file contains one entry for each failed attempt. Each
entry contains the user's login name,
tty device, and time of the failed attempt. If a person makes fewer
than five unsuccessful attempts,
no failed attempts are logged.

Cindy

cnurb

unread,
Oct 21, 2009, 5:09:45 PM10/21/09
to

Cindy,
Thanks for the info but I forgot an important piece of info in my
post.

I want to track failed ssh logins. I know that they were being tracked
in my /var/adm/auth_audit log. But I want the faillures to go to /var/
adm/loginlog instead.
Can loginlog track these ?
Carl

cindy

unread,
Oct 21, 2009, 6:08:43 PM10/21/09
to

Hi Carl,

I don't think loginlog is robust enough to log failed ssh attempts.

The loginlog man page was last updated in 1990 so I don't think that
it is compatible with ssh.

Cindy

webjuan

unread,
Oct 21, 2009, 10:03:25 PM10/21/09
to

Perhaps this post can point you in the right direction:

http://forums.sun.com/thread.jspa?threadID=5073829

Juan

0 new messages