From owner-freebsd-current@FreeBSD.ORG  Tue Jan 15 16:18:50 2008
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 27C8516A421
	for <freebsd-current@freebsd.org>; Tue, 15 Jan 2008 16:18:50 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.freebsd.org (Postfix) with ESMTP id E8B7A13C46E
	for <freebsd-current@freebsd.org>; Tue, 15 Jan 2008 16:18:49 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by cyrus.watson.org (Postfix) with ESMTP id 5AFF646E1A;
	Tue, 15 Jan 2008 11:18:48 -0500 (EST)
Date: Tue, 15 Jan 2008 16:18:48 +0000 (GMT)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Richard Bates <bates@telehouse.com>
In-Reply-To: <9419F125-F8F9-4FFB-A9F0-CF59DC9278C9@telehouse.com>
Message-ID: <20080115161724.U32954@fledge.watson.org>
References: <9419F125-F8F9-4FFB-A9F0-CF59DC9278C9@telehouse.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-current@freebsd.org
Subject: Re: Question on security..
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jan 2008 16:18:50 -0000


On Tue, 15 Jan 2008, Richard Bates wrote:

> I know login failures are logged in /var/log/auth.log
>
> is there a way to log the login of users in this log say something like
>
> Jan 15 10:59:00 MyServer sshd[91869]: User bates authenticated from 
> 172.18.1.139
> Jan 15 10:59:00 MyServer sshd[91869]: User bates Disconnected from 
> 172.18.1.139

The normal system lastlog, accessed via last(1), does this fairly well.  As 
you notch up the level of logging on sshd, it should also be able to do that. 
However, I tend to use audit for the above type of functionality, as the 
results are more parseable using tools like auditreduce.  There's a handbook 
chapter on how to configure and use audit, should you be looking for something 
a bit more on that scale of things.

Robert N M Watson
Computer Laboratory
University of Cambridge