Hello, I have spent the last day hacking around with syslog-ng, and thinks is great. I have just one problem that I have not found an answer to in searching google. I am having difficulty getting it to pick up the entries from sshd2. I have sshd2 set up for SyslogFacility AUTH, and get authentication attempts logged in /var/log/secure using the standard logger, but cannot get them picked up by syslog-ng. I have tried some of the various filters that I have found, but still no information shows up. Anyone have this working? syslog-ng version 1.4.17 Mandrake 8.1, 8.2, 9.0, SSH 3.2.2 At this point, just getting it to log local is fine, as I have been able to get logs to be sent using stunnel, but pretty much gutted the configs down to get this working. Thanks go out to all for syslog-ng and for their support. -Wolverine
On Mon, Dec 09, 2002 at 05:22:50PM -0500, wolverine wrote:
Hello,
I have spent the last day hacking around with syslog-ng, and thinks is great. I have just one problem that I have not found an answer to in searching google. I am having difficulty getting it to pick up the entries from sshd2. I have sshd2 set up for SyslogFacility AUTH, and get authentication attempts logged in /var/log/secure using the standard logger, but cannot get them picked up by syslog-ng. I have tried some of the various filters that I have found, but still no information shows up. Anyone have this working?
syslog-ng version 1.4.17 Mandrake 8.1, 8.2, 9.0, SSH 3.2.2
At this point, just getting it to log local is fine, as I have been able to get logs to be sent using stunnel, but pretty much gutted the configs down to get this working.
Thanks go out to all for syslog-ng and for their support.
Linux likes to use the LOG_AUTHPRIV facility for everything, and call AUTH legacy and unsecure due to syslogds habbit of writing to messages which is readable by all. Whatever... *all* my logs are readable only by root. Users can darned well write to a log file. Filter for both AUTH and AUTHPRIV and you will be happy. If you have a BSD system that is causing you grief, it uses LOG_SECURE (not found under Linux). The syslog-ng server is easily hacked to know about the many oddities of "better" facilties. ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arlt@cpsc.ucalgary.ca University Of Calgary (_)/(_) I should be biking right now. Computer Science
Brad Arlt writes:
I am having difficulty getting [syslog-ng] to pick up the entries from sshd2.
Which reminds me - I'm using OpenSSHd on a bunch of machines, with the privilege separation feature enabled, and it turns out that some of the log messages disappear unless you add another log device (/var/run/log in *BSD) into the chroot used by OpenSSHd. -- Ed
On Mon, Dec 09, 2002 at 08:43:50PM -0500, Ed Ravin wrote:
Brad Arlt writes:
I am having difficulty getting [syslog-ng] to pick up the entries from sshd2.
Which reminds me - I'm using OpenSSHd on a bunch of machines, with the privilege separation feature enabled, and it turns out that some of the log messages disappear unless you add another log device (/var/run/log in *BSD) into the chroot used by OpenSSHd.
If you chroot this is expected. Programs do their logging via /dev/log, and need the device node to do their thing. ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arlt@cpsc.ucalgary.ca University Of Calgary (_)/(_) I should be biking right now. Computer Science
That did the trick. I am attaching the sections below, and the output I was looking for and recieved in case someone else needs it. I also took a look at the "expanded syslog-ng.conf" file that came in last night. _NICE_ . Thanks again for the assistance. filter f_authlog { facility(auth,authpriv); }; destination d_sec { file("/var/log/$HOST/secure.log"); }; destination stunnel { tcp("localhost" port(5141)); }; log { source(s_sys); filter(f_authlog); destination(d_sec); destination(stunnel); }; # Output in logs local and remote Dec 10 08:41:28 ss-rtcw sshd2[18968]: connection from "192.168.1.248" Dec 10 08:41:30 ss-rtcw sshd2[27981]: Remote host disconnected: Authentication cancelled by user. Dec 10 08:41:30 ss-rtcw sshd2[27981]: authentication cancelled by user: 'Authentication cancelled by user.' Thanks again to everyone.
participants (3)
-
Brad Arlt
-
Ed Ravin
-
wolverine