Why has my auth.log file emptied - is this normal?

ssh linux ubuntu log-files

Solution 1:

There is a cronjob in /etc/cron.daily (in CentOS anyway, may be different in Ubuntu) to run a tool called logrotate, which reads configuration from /etc/logrotate.d and handles the aging of system logs, etc.

Typically, a weeks worth of logs are kept, rotated once daily. In modern implementations, you will see other files named /var/log/auth.log.[date]. Try doing:

ls -l /var/log/auth.log*

Solution 2:

There's log rotation, which happens typically in the morning (I believe the default is at or shortly after 06:25). It looks like you pulled the file shortly after logrotate ran.

Depending on the logrotate configuration, the previous day's file will be named /var/log/auth.log.1. Look for it there.

The logrotate configuration is in /etc/logrotate.d. The cron job for logrotate is in /etc/cron.daily, with scripts in that directory being run from /etc/crontab.

Related

Robocopy falsely marks files as newer
openssl req sets wrong "not after" date (overflow bug?)
389 Directory Server Administrative Limit Exceeded error?
Internet explorer - SID S-1-5-5-0-348885
Nagios custom variables for object inheritance
Sizing requirements for 100 simultaneous VPN connections
I created an RSA key but SSH keeps asking the password
Is my ASA 5505 almost dead?
Manually apply puppet class
Chef Server Migration
My Windows CA (certificate authority) main cert is expiring next week, what do I do?
VSFTP Config to send users to specific folders