/var/log/auth.log not logging failed ssh attempts
Solution 1:
The LogLevel generally (apparently application dependent) refers to one of the defined severity levels supported by the system logging process (syslog). So change it back and restart the sshd server.
Now if you are not getting the output, you need to look at the system /etc/syslog.conf and see what MINIMUM loglevel the AUTH type of requests are being logged and to what file. The errors might be going to a different log file. OR you might not be logging these errors due to the syslog.conf configuration for the AUTH service. For more information consult the man pages on and syslog.conf.
Solution 2:
When I had the same problem on Debian, I found I had to restart rsyslogd:
/etc/init.d/rsyslog restart
(Your syslogd program may vary.)
The it started writing to /var/log/auth.log again.
Perhaps it had stopped logging after a disk full event, I'm not sure.
See also: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1059854/comments/9
Solution 3:
In my case there was no diskspace on left on the root file-system /
, which you can check for with df -h
Solution 4:
In my case the problem was with the ownership of the /var/log/auth.log
file. It was owned by root:root
but must be syslog:adm
. Change with
sudo chown syslog:adm /var/log/auth.log
It appears to be a common problem with the newly created systems - there were more log files, which had this issue.