since the rewrite of the of the syslog config in the cli, anything gets logged to /var/log/messages. The config in the cli dictates the verbosity, systemd forwards everything (level debug).
So, successful authentication as well as failed authentication ends up in messages too, along with anything else.
That is the issue in https://phabricator.vyos.net/T963.
So, generally if a user wants to debug authentication he/she needs to increase the level from currently notice to debug anyway, so why not filtering it to a different file then as well?
Once not needed anymore the config can be reverted by the user.
That would mean the removal of the op command ‘show log auth’ since it expects the content in /var/log/auth.
The other option would be to log to auth again to get the op command working, which results in the issue that you have the data logged to messages and auth. That behavior was broken in 1.1 already and duplicated messages were created.
I’d like to gather your opinions on that to come to a decision how we should deal with it in the future.
(I gotta check the documentation to see if it needs an update making then clear what is expected vs. unexpected behavior).