I've attached a patch that uses SO_PEERCRED to find the PID/UID/GID of the application using syslog. I wanted to be able to prevent users faking messages but at the same time not lose some of sshd's messages that are sent from a non-privileged process. The next step would be to send users' other messages to /home/$FROM_USER/syslog which would be owned by them - but owner(....) is only evaluated at startup... Sample config: filter f_sshd { uid(0) and program("sshd"); }; filter f_sshdu { not uid(0) and program("sshd") and pid(); }; #pid() checks PID in message is correct destination sshd { file("/var/log/sshd.$YEAR$MONTH" template("$DAY $HOUR:$MIN:$SEC $MSG\n") template-escape(no)); }; log { source(local); filter(f_sshd); destination(sshd); }; destination usshd { file("/var/log/sshd.$YEAR$MONTH" template("$DAY $HOUR:$MIN:$SEC $PROGRAM[$PID]: ($FROM_USER) $MSGONLY\n") template-escape(no)); }; log { source(local); filter(f_sshdu); destination(usshd); }; * Allows log messages from sshd as root and from sshd as a user to be distinguished * Further processing of the log can be assured of the authenticity of the message * No need to restrict access to /dev/log and lose otherwise useful logging Sample log: sshd[30955]: Connection from 0.0.0.0 port 0 sshd[30955]: Failed none for nobody from 0.0.0.0 port 0 ssh2 sshd[30955]: (nobody) Found matching DSA key: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 sshd[30955]: (nobody) Found matching DSA key: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 sshd[30955]: Accepted publickey for nobody from 0.0.0.0 port 0 ssh2 sshd[30957]: (nobody) Connection closed by 0.0.0.0 sshd[30957]: (nobody) Closing connection to 0.0.0.0 -- Simon Arlott