From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: gentoo auditd not logging?
Date: Mon, 27 Oct 2014 09:06:59 -0400
Message-ID: <25263825.Gqr2hZfEHP@x2>
References: <4e30e7a80cdb5f56f082f81a707c23a9@zbfmail.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <4e30e7a80cdb5f56f082f81a707c23a9@zbfmail.de>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com, weber@zbfmail.de
List-Id: linux-audit@redhat.com

On Friday, October 24, 2014 03:15:39 PM Marko Weber | 8000 wrote:
> i installed audit on a gentoo box.
> in the auditd.log it shows logins via ssh:
> 
> type=LOGIN msg=audit(1413987302.466:14): pid=27091 uid=0
> old-auid=4294967295 auid=0 old-ses=4294967295 ses=7 res=1
> 
> but in the logs i cant see failed logins.

Actual failed logins would be a USER_LOGIN event. You should be able to run 

aureport --start today  --login --failed

to see them. Note that auditd is about like syslog in that it does not 
generate events, it records them. You may need to add --enable-audit when 
building a number of packages to get the right support in place.

-Steve