How to access the login logs for a failed login?

xoroxks · August 4, 2021, 9:50pm

My home was broken into and someone attempted to login to my Qubes environment, but failed (when I logged in the UI said there had been one failed attempt). I’ve been a software engineer for a long time, but I’m new to Qubes/Linux, and I’m needing to examine the auth.log file to determine what time the attempt was made…but I’m not seeing any failed attempt reading through the lines. Where is the auth.log located that I should be examining? The dom0 doesn’t include auth.log but I see one from other areas; is there a specific terminal I should be using? Googling and searching this forum hasn’t helped (yet). The command I’m using is: sudo less /var/log/auth.log

Thanks

XOROXKS

ludovic · August 4, 2021, 11:20pm

Systemd manages the logs of the system services (ex: audit, login) and the kernel. The journalctl tool queries the logs.

Note that isn’t specific to the Qubes OS, most of the recent Linux work like this.

Example here with big_brother_is_watching_you login failure from tty2:

[user@dom0 ~]$ journalctl -fxe | grep login
Aug 04 23:04:05 dom0 login[22771]: pam_unix(login:auth): check pass; user unknown
Aug 04 23:04:05 dom0 kernel: audit: type=1100 audit(1628118245.702:477): pid=22771 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="big_brother_is_watching_you" exe="/usr/bin/login" hostname=dom0 addr=? terminal=tty2 res=failed'
Aug 04 23:04:05 dom0 audit[22771]: USER_AUTH pid=22771 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="big_brother_is_watching_you" exe="/usr/bin/login" hostname=dom0 addr=? terminal=tty2 res=failed'
Aug 04 23:04:05 dom0 login[22771]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=
Aug 04 23:04:07 dom0 login[22771]: FAILED LOGIN 1 FROM tty2 FOR big_brother_is_watching_you, Authentication failure
Aug 04 23:04:07 dom0 audit[22771]: USER_LOGIN pid=22771 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="big_brother_is_watching_you" exe="/usr/bin/login" hostname=dom0 addr=? terminal=tty2 res=failed'
Aug 04 23:04:07 dom0 kernel: audit: type=1112 audit(1628118247.737:478): pid=22771 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="big_brother_is_watching_you" exe="/usr/bin/login" hostname=dom0 addr=? terminal=tty2 res=failed'

I suggest you read man journalctl, the --boot option will help you to access the logs of a previous boot.

ludovic · August 4, 2021, 11:22pm

Note: I changed the topic title.

xoroxks · August 5, 2021, 3:19am

Thanks for the information. Unfortunately, I’m not seeing any log entries for the login event; I’ve also tried the --boot option. I’ll keep digging.

Thanks

phl · August 5, 2021, 9:56am

Ob my system, sudo journalctl --reverse _TRANSPORT=audit shows all audit events across multiple reboots (oldest entries are from December on my case).
You could grep for USER_AUTH and further reduce the amount of output using head or read through the interesting lines using less.

That way, you should be able to track every login attempt. Note that in my case, the relevant entries do not contain the keyword login. That might be why you don’t see the relevant parts.

You are looking for something like
Aug 04 10:20:36 dom0 audit[12345]: USER_AUTH pid=12345 uid=1000 auid=1000 ses=2 msg='op=PAM:unix_chkpwd acct="alice" exe="/use/sbin/unix_chkpwd" hostname=? addr=? terminal=? res=failed'

xoroxks · August 5, 2021, 2:12pm

I was able to locate the failed login using:

journalctl --reverse | grep USER_AUTH | grep failed

I’m using Qubes release 4.0.4.

Thank you!