Skip navigation

10.8 Authentication Events log...

5874 Views 7 Replies Latest reply: Jun 10, 2013 2:10 AM by billypalmier RSS
Gnarlodious Level 4 Level 4 (3,220 points)
Currently Being Moderated
Jul 28, 2012 7:47 AM

Has anyone figured out where the Authentication Events are logged in 10.8? Remember it used to be at fle

/var/log/secure.log

but is now gone. You could read the log and see who was attacking your stuff.

  • Charel Calculating status...
    Currently Being Moderated
    Jul 30, 2012 4:37 PM (in response to Gnarlodious)

    I'm missing secure.log, too, as I'm using Geektool to display several system files on my desktop.

     

    Bizarre that this change has not been reported more widely. I'd be interested in the cause that lead Apple to change this also.

  • Camelot Level 8 Level 8 (45,680 points)
    Currently Being Moderated
    Jul 31, 2012 12:04 PM (in response to Gnarlodious)

    All logging has been rolled into asl - the Apple System Log which is built on top of syslog but includes more options for filtering and querying the logs.

     

    man syslog has a lot of the details for querying the logs.

  • Charel Level 1 Level 1 (0 points)
    Currently Being Moderated
    Jul 31, 2012 2:22 PM (in response to Camelot)

    Thanks for the info.

     

    By using a shell command (syslog -C | tail -n 50) in Geektool I have my information back now.

     

    With an additional grep command I should be able to only show specific information.

  • kullerhamPster Calculating status...
    Currently Being Moderated
    Aug 29, 2012 11:37 AM (in response to Gnarlodious)

    Is there a way to query for local logins, especially for the number of failed attempts to log in?

    I used the Console.app to view the logs, but only found some strange Kerberos-messages (that don't seem to depend on whether you got your password right on the first attempt).

  • Caligula AVG Calculating status...
    Currently Being Moderated
    Mar 19, 2013 11:28 AM (in response to Gnarlodious)

    I've also noticied this and have found NO workaround which give me the information that secure.log did.  Perhaps there is a third party security logging program that might work around this obvious screwup?  I've heard of security through obscurity, but it's usually your security you're trying to make obscure for someone else, not for the sysetm operator.

     

    Apple, please put secure.log back, the replacements for it you've created may tell me that someone is attacking me. but they won't tell me WHO.

     

    I use OS X because I didn't NEED an intermediate firewall between my switch and the network connection, are you now telling me I have to buy an entire new MacPro just to monitor the traffic along the line to my router for breakin attempts because the tools on individual consoles that would give this information have been removed to further promulate the myth that Mac's are immune to attack?

  • billypalmier Calculating status...
    Currently Being Moderated
    Jun 10, 2013 2:10 AM (in response to Gnarlodious)

    There is an easy workaround.

    You will need to add these lines to your syslog.conf in /etc/syslog.conf

     

    auth.info;authpriv.*;remoteauth.crit

    /var/log/secure.log

     

    I have no idea why apple changed it... annoying though.

     

    Cheers,

     

    B

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.