If you're hosted at TekTonic like I am on a Ubuntu 8.04 VPS, you may have noticed that your /var/log/auth.log file is empty.

According to the support forums, this is due to a VPS template issue regarding Parallels. Login attempts are actually being logged, just not in the right place due to a missing slash in the /etc/syslog.conf file.

To fix the problem, edit the syslog.conf file:

$ nano /etc/syslog.conf

You'll notice a number of places where the log file location is missing a slash between log and the filename. This causes a path like /var/log/auth.log to become /var/logauth.log.

See below:

auth,authpriv.*          -/var/logauth.log*.*;auth,authpriv.none          -/var/log/syslog#cron.*                  -/var/logcron.logdaemon.*                        -/var/log/daemon.logkern.*                          -/var/log/kern.loglpr.*                           -/var/log/lpr.logmail.*                          -/var/log/mail.loguser.*                          -/var/log/user.log

To fix, simply insert a slash (/) after the log part of the path in each entry that starts with /var/log but does not have a slash after /var/log part.

So an entry that looked like -/var/logauth.log becomes -/var/log/auth.log

There should be more stuffed entries lower down into the file, you may as well fix them too.

After saving the changes, restart the logging daemon with the following command:

$ /etc/init.d/sysklogd restart

To test that it has worked, type the following at the shell prompt:

$ tail -f /var/log/auth.log

Then open another SSL session and attempt a login. You should see the login attempt being logged in your already open session.

I am a software developer / architect currently interested in combining .NET technologies with open-source operating systems. 

I am a member of the open-source BlogEngine.NET development team and focus mainly on ensuring Mono compatibility for the project.



