If you're hosted at TekTonic like I am on a Ubuntu 8.04 VPS, you may have noticed that your /var/log/auth.log file is empty.
According to the support forums, this is due to a VPS template issue regarding Parallels. Login attempts are actually being logged, just not in the right place due to a missing slash in the /etc/syslog.conf file.
To fix the problem, edit the syslog.conf file:
$ nano /etc/syslog.conf
You'll notice a number of places where the log file location is missing a slash between log and the filename. This causes a path like /var/log/auth.log to become /var/logauth.log.
See below:
auth,authpriv.* -/var/logauth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* -/var/logcron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
To fix, simply insert a slash (/) after the log part of the path in each entry that starts with /var/log but does not have a slash after /var/log part.
So an entry that looked like -/var/logauth.log becomes -/var/log/auth.log
There should be more stuffed entries lower down into the file, you may as well fix them too.
After saving the changes, restart the logging daemon with the following command:
$ /etc/init.d/sysklogd restart
To test that it has worked, type the following at the shell prompt:
$ tail -f /var/log/auth.log
Then open another SSL session and attempt a login. You should see the login attempt being logged in your already open session.