Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'What logs to check' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
What logs to check
Authored by: elmimmo on Aug 19, '05 10:30:58AM

Rob wrote:
> I checked the log files today. My machine is still getting pounded by scripted attacks

For those not in the know like me, what should be looking for in which logs in order to determine if we too are being subject of attacks?



[ Reply to This | # ]
What logs to check
Authored by: kyngchaos on Aug 19, '05 11:26:20AM

I was wondering also, but look at that old hint Rob mentioned.



[ Reply to This | # ]
What logs to check
Authored by: kyngchaos on Aug 19, '05 02:08:26PM

Ah, I was looking at my Server Mac, which is still Mac OS 10.3. It appears Tiger is different, as others are saying now.



[ Reply to This | # ]
What logs to check
Authored by: faze on Aug 19, '05 12:19:33PM

Pre-Tiger it was easy to find the ssh info in /var/log/system.log

Since installing Tiger the only way I see those messages is by adding the following line to /etc/syslog.conf

*.info /var/log/system.log

This has the side effect of doubling some other messages in the system log, but I want to see any failed/success ssh attempts, so I don't mind.

You could also check your firewall logs, but the system log method will give you some info you can't get otherwise



[ Reply to This | # ]
What logs to check
Authored by: rumirocks on Aug 19, '05 02:02:53PM
How do you get to
/etc/syslog.conf
in Terminal so that we can add the line you suggest? Sorry it's a beginner's question, but you guys who contribute to macosxhints come up with the best suggestions and newbies have to start somewhere.

[ Reply to This | # ]
What logs to check
Authored by: faze on Aug 19, '05 02:53:21PM

if your new to terminal/unix I suggest using pico to edit the file. You will have to edit it as 'superuser' so here's the command to get you into edit mode with pico:

sudo pico /etc/syslog.conf

Then add the line I mentioned before. I added it as the 3rd line in the file.
After you add the line hold down control and press x and pico will ask you if you want to save the changes. After that, I rebooted, although I am sure there is a signal you could send to syslogd to get it to reread the config, but that's up to someone else to find.



[ Reply to This | # ]
What logs to check
Authored by: mmarlett on Aug 19, '05 12:57:12PM

If you want to a simple GUI, open Console in /Applications/Utilities/ and click on the "Logs" button. Then scroll down the list to "/var/log" and select "secure.log" and see how many times today "frank" tried to log in.



[ Reply to This | # ]
What logs to check
Authored by: bhillier on Aug 19, '05 01:36:35PM

I tried to view the log files with Console, but the log is greyed out and when clicked upon I see this "===== You do not have permission to read this log file =====". How did I get the permission necessary to view the secure.log?



[ Reply to This | # ]
I am denied permission to secure.log
Authored by: rumirocks on Aug 19, '05 02:05:01PM

How do I get into "secure.log" from the console? I am currently denied permission.



[ Reply to This | # ]
I am denied permission to secure.log
Authored by: apollo75 on Dec 03, '05 08:38:09AM

I have the same problem. I am the primary user on this machine, does anyone know why one can't see their own logs?



[ Reply to This | # ]
I am denied permission to secure.log
Authored by: sjk on Dec 03, '05 10:23:01PM

The default permissions on are read/write by root:

% ls -l /var/log/secure.log
-rw------- 1 root admin 77645 Dec 3 20:00 /var/log/secure.log

Repair Disk Permissions will reset it that way if it's been changed (e.g. when the weekly script rotates the file).

Console would have to authenticate to read that file with those permissions, which it doesn't do. A traditional Unix way to monitor it is by running "sudo tail -F /var/log/secure.log" in a Terminal shell. Or prefix whatever other commands you want to use with 'sudo " to access it.



[ Reply to This | # ]
What logs to check
Authored by: MattHaffner on Aug 19, '05 01:08:45PM
Here's a quick terminal script to pull out the failed tries:

grep 'failed to authenticate' /var/log/secure.log

For example, I have an attempt that happened a few days ago and part of it looks like this:

Aug 16 20:45:54 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user exiot.
Aug 16 20:45:58 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user read.
Aug 16 20:46:07 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user write.
Aug 16 20:46:11 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user root.
Aug 16 20:46:15 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user shell.
Aug 16 20:46:19 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user shell.
Aug 16 20:46:23 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user shell.
Aug 16 20:46:27 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user buffer.
Aug 16 20:46:31 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user firebird.
Aug 16 20:46:35 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user amd.
Aug 16 20:46:38 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user xp.
Aug 16 20:46:42 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user service.


[ Reply to This | # ]
What logs to check
Authored by: Aet on Aug 20, '05 10:25:02AM

Same problem with permissions as noted above, but a sudo fixes that.



[ Reply to This | # ]