Ok, so I need to log SSH access into my Drobo 5N.
I have OpenSSH installed and have configured it for verbose logging, however cannot find an auth.log anywhere on the machine.
I would really appreciate some help with access logging so I can start to enhance the security on my Drobo.
Thanks in advance!
The location of the log file is /tmp/DroboApps/openssh/log.txt.
Thanks Ricardo, unfortunately this log file doesn’t include any information regarding access via SSH, rather it seems to only be logging errors in the service.
Any idea where the traditional /var/log/auth.log may be hiding?
As far as I can tell, the AUTH log requires syslog to be installed. By the way, if you do install syslog make sure you do not log to /var. If you fill that partition bad things happen. The “have to reflash the firmware, and hope no data was lost” kind of bad.
Thanks for the heads up, I guess it’s safe to log to the same location that I currently find the OpenSSH log in /tmp…?
/tmp is a ramdisk, which means that a big enough log will make you run out of memory, and a simple reboot will get rid of any evidence of misconduct. I suggest placing it inside the app’s own folder, i.e., /mnt/DroboFS/Shares/DroboApps/openssh/var/log/auth.log.
That was my second option 
Thanks for all the help!
Yeah, I’m having difficulty logging any network activity. Syslog is successfully logging all internal messages on the Drobo, but I am not seeing any logs for network activity. The Syslog configuration file has been setup to detect network sources over UDP and TCP, but I’m not getting any log files for network sources.
Any help?
I’m not entirely sure of what you mean by “network sources.”
Here is the Syslog configuration file, as downloaded from Droboports, with the exception of the directory in which local system messages are saved, and the addition of TCP transport added to the source ‘s_network’:
[code]@version: 3.2
@include “scl.conf”
source s_local {
system();
internal();
};
source s_network {
tcp();
udp();
};
destination d_local {
file("/mnt/DroboFS/Shares/DroboApps/syslog-ng/log/messages");
};
destination d_loghost {
file("/mnt/DroboFS/Shares/DroboApps/syslog-ng/log/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY"
owner(syslog) group(syslog) perm(0755) dir_perm(0755) create_dirs(yes)
);
};
log {
source(s_network);
destination(d_loghost);
};
log {
source(s_local);
destination(d_local);
};
[/code]
As it stands this configuration only gathers internal system messages, as defined by the source ‘s_local’, and delivers them to the destination ‘d_local’.
Right now the source ‘s_network’ gathers nothing at all. What I want to do is gather all authentication, such as ssh/sftp, then I can use some other software to watch that log for failed authentication attempts.
I think you misunderstand the meaning of s_network. S_network means traffic coming from other hosts. S_local means all messages from any local process. This includes any messages from OpenSSH.
I think the problem here is that the configuration of syslog-ng is not saving any auth messages. Have a look here for an example of configuration that supports auth messages (CTRL+F for auth for the interesting bits): https://wiki.archlinux.org/index.php/syslog-ng