7 Replies Latest reply: Jun 10, 2013 2:10 AM by billypalmier
Gnarlodious Level 4 Level 4 (3,220 points)

Has anyone figured out where the Authentication Events are logged in 10.8? Remember it used to be at fle

/var/log/secure.log

but is now gone. You could read the log and see who was attacking your stuff.

  • 1. Re: 10.8 Authentication Events log...
    Charel Level 1 Level 1 (0 points)

    I'm missing secure.log, too, as I'm using Geektool to display several system files on my desktop.

     

    Bizarre that this change has not been reported more widely. I'd be interested in the cause that lead Apple to change this also.

  • 2. Re: 10.8 Authentication Events log...
    Camelot Level 8 Level 8 (45,790 points)

    All logging has been rolled into asl - the Apple System Log which is built on top of syslog but includes more options for filtering and querying the logs.

     

    man syslog has a lot of the details for querying the logs.

  • 3. Re: 10.8 Authentication Events log...
    Charel Level 1 Level 1 (0 points)

    Thanks for the info.

     

    By using a shell command (syslog -C | tail -n 50) in Geektool I have my information back now.

     

    With an additional grep command I should be able to only show specific information.

  • 4. Re: 10.8 Authentication Events log...
    Gnarlodious Level 4 Level 4 (3,220 points)

    Thanks, Camelot. I am having success with:

    syslog -k Time ge -24h | egrep -e 'sshd|ftpd|afp|vnc

    The command lists all failed authentication attempts within the last 24 hours. There may be a regex solution for better extraction so if someone knows it then please post. Truth be told, the old log was much easier to read.

  • 5. Re: 10.8 Authentication Events log...
    kullerhamPster Level 1 Level 1 (10 points)

    Is there a way to query for local logins, especially for the number of failed attempts to log in?

    I used the Console.app to view the logs, but only found some strange Kerberos-messages (that don't seem to depend on whether you got your password right on the first attempt).

  • 6. Re: 10.8 Authentication Events log...
    Caligula AVG Level 1 Level 1 (0 points)

    I've also noticied this and have found NO workaround which give me the information that secure.log did.  Perhaps there is a third party security logging program that might work around this obvious screwup?  I've heard of security through obscurity, but it's usually your security you're trying to make obscure for someone else, not for the sysetm operator.

     

    Apple, please put secure.log back, the replacements for it you've created may tell me that someone is attacking me. but they won't tell me WHO.

     

    I use OS X because I didn't NEED an intermediate firewall between my switch and the network connection, are you now telling me I have to buy an entire new MacPro just to monitor the traffic along the line to my router for breakin attempts because the tools on individual consoles that would give this information have been removed to further promulate the myth that Mac's are immune to attack?

  • 7. Re: 10.8 Authentication Events log...
    billypalmier Level 1 Level 1 (0 points)

    There is an easy workaround.

    You will need to add these lines to your syslog.conf in /etc/syslog.conf

     

    auth.info;authpriv.*;remoteauth.crit

    /var/log/secure.log

     

    I have no idea why apple changed it... annoying though.

     

    Cheers,

     

    B