Hi guys, Having a bit of trouble logging sshd messages to my host. Sshd logs fine using syslog but I get nothing using Syslog-NG. I tried changing the SyslogFacility to DAEMON in sshd_config and still nothing. I have the following lines in my config which should have caught something: options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_local { file ("/proc/kmsg" log_prefix("kernel: ")); unix-dgram("/dev/log"); # unix-stream("/dev/log"); udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514)); internal(); }; destination secure { file("/var/log/secure"); }; destination messages { file("/var/log/messages"); }; filter f_daemon { facility(daemon); }; filter f_authpriv { facility(auth, authpriv); }; log { source(s_local); filter(f_authpriv); destination(secure); }; log { source(s_local); filter(f_daemon); destination(messages); }; log { source(s_local); destination(loghost); }; My sshd config looks like this: Protocol 2 SyslogFacility AUTHPRIV PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL Subsystem sftp /usr/libexec/openssh/sftp-server Any help is apprciated -Chris
Hi, Please check that sshd indeed sends messages to syslog-ng by using strace. Then if it does please also validate that it is indeed using the facility/priority values that you are filtering with. something like this would probably help: strace -o sshd.trace -s 1024 -f -p <pidofsshd> make sure that sshd.trace is not user-accessible as it may contain sensitive information. you should look for strace entries that contain log messages that you are interested in. On Tue, 2009-01-06 at 08:41 -0500, Christopher Bland wrote:
Hi guys,
Having a bit of trouble logging sshd messages to my host. Sshd logs fine using syslog but I get nothing using Syslog-NG. I tried changing the SyslogFacility to DAEMON in sshd_config and still nothing. I have the following lines in my config which should have caught something:
options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); };
source s_local { file ("/proc/kmsg" log_prefix("kernel: ")); unix-dgram("/dev/log"); # unix-stream("/dev/log"); udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514)); internal(); };
destination secure { file("/var/log/secure"); }; destination messages { file("/var/log/messages"); };
filter f_daemon { facility(daemon); }; filter f_authpriv { facility(auth, authpriv); };
log { source(s_local); filter(f_authpriv); destination(secure); }; log { source(s_local); filter(f_daemon); destination(messages); }; log { source(s_local); destination(loghost); };
My sshd config looks like this: Protocol 2 SyslogFacility AUTHPRIV PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL Subsystem sftp /usr/libexec/openssh/sftp-server
Any help is apprciated
-- Bazsi
participants (2)
-
Balazs Scheidler
-
Christopher Bland