Hi. Thank you for the response. All I see in the /var/log/secure that ties up with these logs , based on time stamps are lines like this "sshd[5343]: Connection closed by 127.0.0.1" other than that I don't see much else. Thanks G On Wed, Jun 12, 2013 at 9:40 PM, Nicolas Thierry-Mieg < Nicolas.Thierry-Mieg at imag.fr> wrote: > > > Gregory Machin wrote: > > Hi. > > I'm seeing a lot of entries in /var/log/audit/audit.log > > acct=28756E6B6E6F776E207573657229 , which apparently means unknown user . > > > > Sample from the logs : > > type=USER_LOGIN msg=audit(1370998250.746:1622709): user pid=16762 uid=0 > > auid=4294967295 ses=4294967295 msg='op=login > > acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? > > addr=127.0.0.1 terminal=ssh res=failed' > > > > How do I track down what is causing this ? Thus far I have has not luck > > using the pid with ps or lsof as it seems the process has gone by the > > time I respond to the log entries. > > it looks like a failed login attempt through ssh, but I would check > /var/log/secure which may be more explicit > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >