This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: audit log\'s


CLaudia wrote:

> We want to know the audit logs with CYGWIN. We use the WIndows 2000 audit, but we need more information. In the sshd.log we can't see anything. What we must do?

I'm not sure what the "Windows 2000 audit" is, so my answer might not be what
you want, but...

Sshd (the daemon) logs by default on the Windows Event Application list, this
can be changed in the configuration (/etc/sshd_config) so that it can log using
syslog (a separate package not installed by default).

It also logs to wtmp, you can see who loged in and from where but entries are
not distinguishable from telnet/ftp/or any other logins.

One example of failed login in the event log (very common when somebody tries to
"break" into your computer) is (6 events):

The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local
computer may not have the necessary registry information or message DLL files to
display messages from a remote computer. You may be able to use the /AUXSOURCE=
flag to retrieve this description; see Help and Support for details. The
following information is part of the event: sshd : PID 2868 : Invalid user lidia
from 61.129.117.112.

The description ...
The following information is part of the event: sshd : PID 2996 :
input_userauth_request: invalid user lidia.

The description ...
The following information is part of the event: sshd : PID 2868 : Failed
password for invalid user lidia from 61.129.117.112 port 43285 ssh2.

The description ...
The following information is part of the event: sshd : PID 2996 : Failed
password for invalid user lidia from 61.129.117.112 port 43285 ssh2.

The description ...
The following information is part of the event: sshd : PID 2996 : Received
disconnect from 61.129.117.112: 11: Bye Bye.

The description ...
The following information is part of the event: sshd : PID 2868 : fatal:
mm_request_receive: read: Software caused connection abort.

HTH
-- 
René Berber


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]