Has anyone gotten logwatch to monitor failed login attempts on sshd? I have tried:

myhost:/etc/log.d/scripts# ./logwatch.pl --service secure --range all --detail high --print

myhost:/etc/log.d/scripts# ./logwatch.pl --service pam --range all --detail high --print

myhost:/etc/log.d/scripts# ./logwatch.pl --service pam_pwdb --range all --detail high --print

myhost:/etc/log.d/scripts# ./logwatch.pl --service pam_unix --range all --detail high --print

And I'm getting no results. This should be a simple thing to do. Hmm...can anyone shed me some light? Thanks.

-twantrd

Never tried logwatch but how about grep -i ssh /var/log/auth.log as root.

Yes, you could just write a script to actually do the grepping itself for failed/illegal login attempts but then that defeats the purpose of logwatch as I want that to parse the logs for me.

I compiled logwatch from source and looks like it's following stupid redhat's directory structure for logs. Grrr..

-twantrd

Ahh, figured out the problem. Thanks anywayz.

-twantrd

care to share? I'm looking to do the same - both successful and failed ssh attempts.

If your distro is redhat, it should work out of the box as the sshd service looks for /var/log/secure for failed ssh attempts. My log file was /var/log/auth.log so I had to change /etc/log.d/conf/logfiles/secure.conf to point to /var/log/auth.log. That's pretty much it and just add the ssh service into logwatch.conf.

Oh yea, /etc/log.d/ was where I placed my logwatch files/scripts. Change that path to whatever yours is.

-twantrd