CLaudia wrote: > We want to know the audit logs with CYGWIN. We use the WIndows 2000 audit, > but we need more information. In the sshd.log we can't see anything. What we > must do?
I'm not sure what the "Windows 2000 audit" is, so my answer might not be what you want, but... Sshd (the daemon) logs by default on the Windows Event Application list, this can be changed in the configuration (/etc/sshd_config) so that it can log using syslog (a separate package not installed by default). It also logs to wtmp, you can see who loged in and from where but entries are not distinguishable from telnet/ftp/or any other logins. One example of failed login in the event log (very common when somebody tries to "break" into your computer) is (6 events): The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 2868 : Invalid user lidia from 61.129.117.112. The description ... The following information is part of the event: sshd : PID 2996 : input_userauth_request: invalid user lidia. The description ... The following information is part of the event: sshd : PID 2868 : Failed password for invalid user lidia from 61.129.117.112 port 43285 ssh2. The description ... The following information is part of the event: sshd : PID 2996 : Failed password for invalid user lidia from 61.129.117.112 port 43285 ssh2. The description ... The following information is part of the event: sshd : PID 2996 : Received disconnect from 61.129.117.112: 11: Bye Bye. The description ... The following information is part of the event: sshd : PID 2868 : fatal: mm_request_receive: read: Software caused connection abort. HTH -- René Berber -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
