Debian - auth.log missing from /var/log

Question

I am learning Debian on RaspberryPI. I've installed 'logwatch' and 'fail2ban' recently and those two were working Great!

A few days ago I've spotted that I don't have a file "auth.log" but I do have "auth.log.gz1" etc. (so archive data)

I've used command:

touch auth.log

to create this file, than chown root:adm to change its premissions.

However this file is still not working - I can't see any entry in to for the last 2 days even if I was loging in trough SSH.

Can you advise:

why this file is gone? where to look for a reasons?
how to fix the issue, so all my SSH connections (and attacks) will be recorded?

PS.

pi@pi ~ $ uname -a

Linux pi.local 3.10.25+ #622 PREEMPT Fri Jan 3 18:41:00 GMT 2014 armv6l GNU/Linux

This answer may help at some point too; https://superuser.com/a/809048 — Roel Van de Paar, Jul 16 '17 at 22:16

score 14 · Answer 1 · answered Feb 27 '21 at 09:36

I got bitten by this when I tried to configure fail2ban on a "minimal" Ubuntu 20.04 LTS image. On Ubuntu fail2ban looks for authentication events in /var/log/auth.log. However, in the "minimal" image only the systemd "journal" facility is available, the file auth.log is missing and then fail2ban won't start. To get the good old log files back, I installed rsyslog:

sudo apt-get install rsyslog

and then fail2ban started working properly.

Credit where credit is due: the idea for this solution came from @Bloodden 's answer which seems to be somewhat unfairly voted down...

score 13 · Answer 2 · answered Mar 16 '17 at 14:21

13

From Debian 8 (Jessie), systemd is installed by default. There is, by default, no more /var/log/auth.log. You can view the log of sshd with the following command :

journalctl -u ssh.service

answered Mar 16 '17 at 14:21

Ortomala Lokni

4,814

Put a -f on the end for a tail -f experience. – dhempler Oct 04 '23 at 14:00
This is not precise, the relevant change is from Debian 12 (bookworm). "From bookworm, rsyslog is no longer installed by default" (https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#changes-to-system-logging) – gentooise Mar 05 '24 at 12:17
@gentooise I'm not convinced by your statement. Debian 12 was released in 2023, but the question is from 2014 and the answer from 2017. – Ortomala Lokni Mar 05 '24 at 21:30
I'm on Fedora 39, and the correct command seems to be journalctl -u sshd.service now. – Fred Qian Mar 10 '24 at 20:34

score 5 · Answer 3 · answered Jan 08 '14 at 01:29

5

Creating the file manually won't do anything: if the logging system wants to use the file, it will create it.

Perhaps as part of the package installation or perhaps as part of some other configuration, you've somehow changed the configuration of your logging system. By default, Debian uses sysklogd, configured via /etc/syslog.conf, and auth.log comes from a line

auth,authpriv.*                 /var/log/auth.log

Maybe you modified /etc/syslog.conf, or maybe you switched to rsyslog (which is a lot more powerful than sysklogd, but also bigger and more complex.

answered Jan 08 '14 at 01:29

Gilles 'SO- stop being evil'

829,060

1

There is no more /etc/syslog.conf in Debian 8 (Jessie). – Ortomala Lokni Mar 16 '17 at 09:35
1

@OrtomalaLokni /etc/syslog.conf still exists, but as before, it's only used by sysklogd. Sysklogd is no longer the default on jessie since it defaults to systemd and systemd replaces a lot of system functionality by its own, including logging. – Gilles 'SO- stop being evil' Mar 16 '17 at 09:41

score 3 · Answer 4 · edited May 13 '19 at 07:08

3

Install syslog-ng:

apt-get install syslog-ng

edited May 13 '19 at 07:08

Stephen Kitt

434,908

answered May 13 '19 at 06:51

Bloodden

51

I gave a +1 here because this answer led me to the solution (see my answer for details). Don't really understand the downvotes this answer received BTW. – András Aszódi Feb 27 '21 at 09:29
3

Possibly because it doesn't explain why this is a good solution – Chris Davies Feb 27 '21 at 10:05

Debian - auth.log missing from /var/log

4 Answers4

Linked