sshd[29181]: [ID 800047 auth.error] error: Could not get shadow information for NOUSER

This could be that someone is trying to login to the server with an incorrect username.  First off these servers are on the internal network only, so we know somebody internal was trying to access these servers.  I checked with the Security officer to see if he was scanning the servers, as the auditors are in and to see if they are trying to find unsecured servers, this was not the case so now they were wondering who was trying to gain access to these servers.

The times were different over the last few days since these alerts started so it was not a scheduled task causing this, and most of the times was in the middle of the night.

I decided to ensure that the logging was in place to try and track this user down, the steps I took to do this was

    touch /var/adm/sshlog

In the /usr/local/etc/sshd_config I have uncommented the lines

    SyslogFacility AUTH

    LogLevel INFO

Then at the bottom of the /etc/syslog.conf file, I added the line

   auth.debug                                      /var/adm/sshlog

I then restarted the syslog daemon by

    /etc/rc2.d/S74syslog stop and then /etc/rc2.d/S74syslog start

So now it will display the IP address from where the login request came from and also the username they are trying to connect as.

Well I hope this helps, I am always looking at ways to improve, and so I am always interested in feedback so feel free to add any comments here