Has anyone figured out where the Authentication Events are logged in 10.8? Remember it used to be at fle
/var/log/secure.log
but is now gone. You could read the log and see who was attacking your stuff.
I'm missing secure.log, too, as I'm using Geektool to display several system files on my desktop.
Bizarre that this change has not been reported more widely. I'd be interested in the cause that lead Apple to change this also.
All logging has been rolled into asl - the Apple System Log which is built on top of syslog but includes more options for filtering and querying the logs.
man syslog has a lot of the details for querying the logs.
Thanks for the info.
By using a shell command (syslog -C | tail -n 50) in Geektool I have my information back now.
With an additional grep command I should be able to only show specific information.
Thanks, Camelot. I am having success with:
syslog -k Time ge -24h | egrep -e 'sshd|ftpd|afp|vnc
The command lists all failed authentication attempts within the last 24 hours. There may be a regex solution for better extraction so if someone knows it then please post. Truth be told, the old log was much easier to read.
Is there a way to query for local logins, especially for the number of failed attempts to log in?
I used the Console.app to view the logs, but only found some strange Kerberos-messages (that don't seem to depend on whether you got your password right on the first attempt).
I've also noticied this and have found NO workaround which give me the information that secure.log did. Perhaps there is a third party security logging program that might work around this obvious screwup? I've heard of security through obscurity, but it's usually your security you're trying to make obscure for someone else, not for the sysetm operator.
Apple, please put secure.log back, the replacements for it you've created may tell me that someone is attacking me. but they won't tell me WHO.
I use OS X because I didn't NEED an intermediate firewall between my switch and the network connection, are you now telling me I have to buy an entire new MacPro just to monitor the traffic along the line to my router for breakin attempts because the tools on individual consoles that would give this information have been removed to further promulate the myth that Mac's are immune to attack?
There is an easy workaround.
You will need to add these lines to your syslog.conf in /etc/syslog.conf
| auth.info;authpriv.*;remoteauth.crit | /var/log/secure.log |
I have no idea why apple changed it... annoying though.
Cheers,
B
Sorry for resurrecting a post...
Strangely,
syslog -k Time ge -24h | egrep -e 'sshd|ftpd|afp|vnc'
gives me only successful logins, while
cat /var/log/system.log | egrep -e 'sshd|ftpd|afp|vnc'
gives all attempts, including unsuccessful. But is not so nice (not the 24h window)
Any idea why syslog doesn't show unsuccessful attempts?
10.8 Authentication Events log...
