4

I am trying to look at failed SSH attempts, which I could do on a regular ubuntu machine by looking at /var/log/auth.log.

I've taken a look at Debian - auth.log missing from /var/log and the WSL has no /etc/syslog.conf nor does journalctl return any entries.

Why does the WSL not have auth.log and how can I monitor SSH attempts?

lostlostlostlostlost
  • 141
  • What about /var/log/secure? – Peschke May 15 '19 at 04:12
  • @Peschke said file does not exist as well – lostlostlostlostlost May 15 '19 at 04:16
  • How is the SSH service started? – muru May 15 '19 at 05:58
  • @muru service ssh start – lostlostlostlostlost May 15 '19 at 06:08
  • @lostlostlostlostlost if you run ssh with -vvv to get a detailed output can you see if it reports its logging? Alternatively, I have found this thread which appears related. – kemotep May 15 '19 at 13:51
  • @kemotep Have seen that thread, its linked in the question. Thanks for the suggestion though. Do you mean to start the ssh service on the WSL with -vvv? – lostlostlostlostlost May 16 '19 at 02:32
  • Yes, use as many 'v's as possible to get as verbose an output of what ssh is doing. If you are using the Openssh windows service then you would have to consult that documentation on where it gets saved. Part of your issues is that wsl1 is as much Linux as Wine is windows. They plan to release wsl2 this summer that will be a full on Linux kernel running inside a virtual machine. Please confirm that you are using the Linux ssh inside wsl and not a version of ssh that can be used in PowerShell. If your Linux wsl ssh client is based on Debian's then you should be able to use journalctl – kemotep May 16 '19 at 12:42
  • @kemotep I confirm I am using WSL, not powershell with ssh. journalctl turns up empty entries. I've restarted my ssh service with -vvv, but still can't find any logs. – lostlostlostlostlost May 17 '19 at 00:56
  • 1
    So when you list all currently running services, systemd comes up empty or specifically only for ssh? Try debugging this to even prove that systemd is working and you can even get the expected output for another service. Once you can prove that journalctl works try increasing the logging level of ssh to debug or higher to see if you can get more information out of it. Here is the ssh manpage. – kemotep May 17 '19 at 13:16
  • Did you ever find the solution? – DisplayMyName Jun 04 '19 at 13:19
  • Nope @NeNenne :( – lostlostlostlostlost Jun 04 '19 at 23:56

1 Answers1

3

For some reason rsyslog service is not running by default on WSL - Unfortunately, I couldn't find why.

You can start it via: service rsyslog start

After starting the service you'll see /var/log/auth.log and /var/log/syslog files.

If you want to run it on every sartup, I've found a couple of tutorials. E.g.: https://dev.to/ironfroggy/wsl-tips-starting-linux-background-services-on-windows-login-3o98

DzeryCZ
  • 131
  • If I had to guess, this is by design. There are some pretty glaring I/O issues in WSL that are being ironed out. The logging probably adds a pretty good load to an already slow platform. My guess is that it's off by default to improve performance. – Nilpo May 23 '22 at 10:41