Due to /etc/syslog.conf, incorrect password logins are
logged in /var/log/secure. However, incorrect user logins
are logged in /var/log/messages.
This is set like this for obvious security reasons. It can be
reconfigured using the syslog.con file if the system administrator
should need it to behave differently.
------- Additional Comments From 01/22/99 17:18 -------
I agree that logging to /var/log/messages is insecure. I'm requesting
that *both* types of messages be logged to /var/log/secure. That way
there's a single place to look for account guessing activity.