SSH in Ubuntu OpenVZ Doesn’t Log to Auth.log File

I have a couple of Ubuntu 8.04 OpenVZ VPS’s, and I use the Deny Hosts script to block hackers trying to bruteforce SSH. However, the other day I noticed two files in /var/ on one of my VPS’s: logauth.log and logmail.err. Logauth.log was sitting at 105 megabytes! Not only was the info being logged to the wrong file, but the log wouldn’t be rotated (meaning that it would eventually become so bloated that it’d take forever to read).

As quite a few of my VPS’s were affected, I guess there’s a bug with some of the OpenVZ Ubuntu 8.04 images where SSH logins (and mail errors) are logged to the wrong file. Easy enough to fix – just edit /etc/syslog.conf and change any instance of /var/logauth.log to read /var/log/auth.log. While we’re at it, change /var/logmail.err Instance to say /var/log/mail.err.

Restarting sysklogd should load up the new values, but if you want to be paranoid I suppose you could just reboot the VPS (shouldn’t be necessary, but if you do rather use the hosting company’s control panel to do it)