I am learning Debian on RaspberryPI.
I've installed 'logwatch' and 'fail2ban' recently and those two were working Great!
A few days ago I've spotted that I don't have a file "auth.log" but I do have "auth.log.gz1" etc. (so archive data)
I've used command:
touch auth.log
to create this file, than chown root:adm
to change its premissions.
However this file is still not working – I can't see any entry in to for the last 2 days even if I was loging in trough SSH.
Can you advise:
- why this file is gone? where to look for a reasons?
- how to fix the issue, so all my SSH connections (and attacks) will be recorded?
PS.
pi@pi ~ $ uname -a
Linux pi.local 3.10.25+ #622 PREEMPT Fri Jan 3 18:41:00 GMT 2014 armv6l GNU/Linux
Best Answer
Creating the file manually won't do anything: if the logging system wants to use the file, it will create it.
Perhaps as part of the package installation or perhaps as part of some other configuration, you've somehow changed the configuration of your logging system. By default, Debian uses sysklogd, configured via
/etc/syslog.conf, andauth.logcomes from a lineMaybe you modified
/etc/syslog.conf, or maybe you switched to rsyslog (which is a lot more powerful than sysklogd, but also bigger and more complex.