[syslog-ng]sshd2 logging needed

Brad Arlt arlt@cpsc.ucalgary.ca
Mon, 9 Dec 2002 17:48:57 -0700

On Mon, Dec 09, 2002 at 05:22:50PM -0500, wolverine wrote:
> Hello,
> I have spent the last day hacking around with syslog-ng, and thinks is
> great.  I have just one problem that I have not found an answer to in
> searching google.  I am having difficulty getting it to pick up the
> entries from sshd2.  I have sshd2 set up for SyslogFacility  AUTH, and
> get authentication attempts logged in /var/log/secure using the standard
> logger, but cannot get them picked up by syslog-ng.  I have tried some
> of the various filters that I have found, but still no information shows
> up.  Anyone have this working?  
> syslog-ng version 1.4.17
> Mandrake 8.1, 8.2, 9.0, 
> SSH 3.2.2
> At this point, just getting it to log local is fine, as I have been able to
> get logs to be sent using stunnel, but pretty much gutted the configs
> down to get this working.
> Thanks go out to all for syslog-ng and for their support.

Linux likes to use the LOG_AUTHPRIV facility for everything, and call
AUTH legacy and unsecure due to syslogds habbit of writing to messages
which is readable by all.  Whatever... *all* my logs are readable only
by root.  Users can darned well write to a log file.

Filter for both AUTH and AUTHPRIV and you will be happy.

If you have a BSD system that is causing you grief, it uses LOG_SECURE
(not found under Linux).  The syslog-ng server is easily hacked to
know about the many oddities of "better" facilties.
   __o		Bradley Arlt			Security Team Lead
 _ \<_		arlt@cpsc.ucalgary.ca		University Of Calgary
(_)/(_) 	I should be biking right now.	Computer Science