Hi. I'm seeing a lot of entries in /var/log/audit/audit.log acct=28756E6B6E6F776E207573657229 , which apparently means unknown user .
Sample from the logs : type=USER_LOGIN msg=audit(1370998250.746:1622709): user pid=16762 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=ssh res=failed'
How do I track down what is causing this ? Thus far I have has not luck using the pid with ps or lsof as it seems the process has gone by the time I respond to the log entries.
Thanks G
Gregory Machin wrote:
Hi. I'm seeing a lot of entries in /var/log/audit/audit.log acct=28756E6B6E6F776E207573657229 , which apparently means unknown user .
Sample from the logs : type=USER_LOGIN msg=audit(1370998250.746:1622709): user pid=16762 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=ssh res=failed'
How do I track down what is causing this ? Thus far I have has not luck using the pid with ps or lsof as it seems the process has gone by the time I respond to the log entries.
it looks like a failed login attempt through ssh, but I would check /var/log/secure which may be more explicit
Hi.
Thank you for the response.
All I see in the /var/log/secure that ties up with these logs , based on time stamps are lines like this "sshd[5343]: Connection closed by 127.0.0.1" other than that I don't see much else.
Thanks
G
On Wed, Jun 12, 2013 at 9:40 PM, Nicolas Thierry-Mieg < Nicolas.Thierry-Mieg@imag.fr> wrote:
Gregory Machin wrote:
Hi. I'm seeing a lot of entries in /var/log/audit/audit.log acct=28756E6B6E6F776E207573657229 , which apparently means unknown user .
Sample from the logs : type=USER_LOGIN msg=audit(1370998250.746:1622709): user pid=16762 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=ssh res=failed'
How do I track down what is causing this ? Thus far I have has not luck using the pid with ps or lsof as it seems the process has gone by the time I respond to the log entries.
it looks like a failed login attempt through ssh, but I would check /var/log/secure which may be more explicit _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Gregory Machin -
Gregory Machin -
Nicolas Thierry-Mieg