Yesterday a compromised host at a Canadian university was used in an attempt to crack into our network. The information was in the sshd section of logwatch's report.
I would like to send the admin there timestamped records from the raw log file that show the attempts, but cannot locate the appropriate file in /var/log/. In /var/log/syslog.? there are references to sshd, but they all refer to an inability to get shadow information for NOUSER. I cannot get results when I grep for the domain name. Where might logwatch be getting this detailed information? I cannot find that in /etc/logwatch/logwatch.conf or the files in /usr/share/logwatch/, and it's not in /var/log/syslog.1. Rich _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
