Versions OPNsense 22.7.10_2-amd64
I can see the SSH failed login information from the System | Log Files | Audit, with Multiselect on and all display. Example below:
Error | sshd | error: PAM: Authentication error for USER from 192.168.1.221
Warning | audit | user USER could not authenticate for sshd. [using OPNsense\Auth\Services\System + OPNsense\Auth\Local]
Debug | audit | user USER failed authentication for sshd on OPNsense\Auth\Services\System via OPNsense\Auth\Local
I can see the WebGui logout and successful login information. Example below:
Notice | audit | /index.php: Successful login for user 'USER' from: 192.168.1.221
Notice | audit | user USER authenticated successfully for WebGui [using OPNsense\Auth\Services\WebGui + OPNsense\Auth\Local]
Notice | audit | /index.php: User logged out for user 'USER' from: 192.168.1.221
However, I did multiple failed logins between the log out and login show above and I was unable to see that.
I couldn't find anything on the GitHub Issues or searching the forum. Do other people get the same result?
should be there if username and passwords wasn't empty:
https://github.com/opnsense/core/blob/f5323689f3db9e91fa9f1a15e66e20f6e1e2fbba/src/etc/inc/authgui.inc#L212
Ah, that's where I was going wrong. Trying with empty passwords.
Thank you for the prompt reply Fright! :-)
Have been trying to build some MONIT alerts for failed logins, Web GUI and SSH
Path | /var/log/audit/latest.log
Condition | content = 'Web GUI authentication error'
Path | /var/log/audit/latest.log
Condition | content = 'PAM: Authentication error'
Interestingly the SSH error will work on empty password.