I occasionally see messages in my logwatch report then cannot find the actual log entry. Is there any way I can have logwatch give a clearer report?
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=a-specific-user
rhost=22.214.171.124 : 7 Time(s)
check pass; user unknown: 7 Time(s)
Someone obviously tried to break into my FTP server at some time during the day. However I haven't a clue where I can find the specific entry so I can send it to the company and ask them to stop this person.
How can I get Logwatch to report the exact location of the log involved and the exact time? When I tried to search /var/logs/*.* I for the IP came up empty.