Gregory Machin
2013-Jun-12 01:05 UTC
[CentOS] Audit logs containing 28756E6B6E6F776E207573657229
Hi. I'm seeing a lot of entries in /var/log/audit/audit.log acct=28756E6B6E6F776E207573657229 , which apparently means unknown user . Sample from the logs : type=USER_LOGIN msg=audit(1370998250.746:1622709): user pid=16762 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=ssh res=failed' How do I track down what is causing this ? Thus far I have has not luck using the pid with ps or lsof as it seems the process has gone by the time I respond to the log entries. Thanks G
Nicolas Thierry-Mieg
2013-Jun-12 09:40 UTC
[CentOS] Audit logs containing 28756E6B6E6F776E207573657229
Gregory Machin wrote:> Hi. > I'm seeing a lot of entries in /var/log/audit/audit.log > acct=28756E6B6E6F776E207573657229 , which apparently means unknown user . > > Sample from the logs : > type=USER_LOGIN msg=audit(1370998250.746:1622709): user pid=16762 uid=0 > auid=4294967295 ses=4294967295 msg='op=login > acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? > addr=127.0.0.1 terminal=ssh res=failed' > > How do I track down what is causing this ? Thus far I have has not luck > using the pid with ps or lsof as it seems the process has gone by the > time I respond to the log entries.it looks like a failed login attempt through ssh, but I would check /var/log/secure which may be more explicit
Reasonably Related Threads
- Audit logs source of account triggering it.
- [Bug 2245] New: Multiple USER_LOGIN messages when linux audit support is enabled on bad login
- Anyone know anything about slurm on CentOS 7?
- Dovecot PAM sessions with Maildir
- NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql