[syslog-ng]sshd2 logging needed
Brad Arlt
arlt@cpsc.ucalgary.ca
Mon, 9 Dec 2002 17:48:57 -0700
On Mon, Dec 09, 2002 at 05:22:50PM -0500, wolverine wrote:
> Hello,
>
> I have spent the last day hacking around with syslog-ng, and thinks is
> great. I have just one problem that I have not found an answer to in
> searching google. I am having difficulty getting it to pick up the
> entries from sshd2. I have sshd2 set up for SyslogFacility AUTH, and
> get authentication attempts logged in /var/log/secure using the standard
> logger, but cannot get them picked up by syslog-ng. I have tried some
> of the various filters that I have found, but still no information shows
> up. Anyone have this working?
>
> syslog-ng version 1.4.17
> Mandrake 8.1, 8.2, 9.0,
> SSH 3.2.2
>
> At this point, just getting it to log local is fine, as I have been able to
> get logs to be sent using stunnel, but pretty much gutted the configs
> down to get this working.
>
> Thanks go out to all for syslog-ng and for their support.
Linux likes to use the LOG_AUTHPRIV facility for everything, and call
AUTH legacy and unsecure due to syslogds habbit of writing to messages
which is readable by all. Whatever... *all* my logs are readable only
by root. Users can darned well write to a log file.
Filter for both AUTH and AUTHPRIV and you will be happy.
If you have a BSD system that is causing you grief, it uses LOG_SECURE
(not found under Linux). The syslog-ng server is easily hacked to
know about the many oddities of "better" facilties.
-----------------------------------------------------------------------
__o Bradley Arlt Security Team Lead
_ \<_ arlt@cpsc.ucalgary.ca University Of Calgary
(_)/(_) I should be biking right now. Computer Science