Gregory Machin wrote: > Hi. > I'm seeing a lot of entries in /var/log/audit/audit.log > acct=28756E6B6E6F776E207573657229 , which apparently means unknown user . > > Sample from the logs : > type=USER_LOGIN msg=audit(1370998250.746:1622709): user pid=16762 uid=0 > auid=4294967295 ses=4294967295 msg='op=login > acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? > addr=127.0.0.1 terminal=ssh res=failed' > > How do I track down what is causing this ? Thus far I have has not luck > using the pid with ps or lsof as it seems the process has gone by the > time I respond to the log entries. it looks like a failed login attempt through ssh, but I would check /var/log/secure which may be more explicit