[PLUG] Where logwatch gets sshd data
Rich Shepard
rshepard at appl-ecosys.com
Tue Oct 20 14:54:03 UTC 2009
Yesterday a compromised host at a Canadian university was used in an
attempt to crack into our network. The information was in the sshd section
of logwatch's report.
I would like to send the admin there timestamped records from the raw log
file that show the attempts, but cannot locate the appropriate file in
/var/log/.
In /var/log/syslog.? there are references to sshd, but they all refer to
an inability to get shadow information for NOUSER. I cannot get results when
I grep for the domain name.
Where might logwatch be getting this detailed information? I cannot find
that in /etc/logwatch/logwatch.conf or the files in /usr/share/logwatch/,
and it's not in /var/log/syslog.1.
Rich
More information about the PLUG
mailing list