[syslog-ng] Syslog-NG Openssh RHEL 4

Balazs Scheidler bazsi at balabit.hu
Thu Jan 8 21:35:26 CET 2009 

Hi,

Please check that sshd indeed sends messages to syslog-ng by using
strace. Then if it does please also validate that it is indeed using the
facility/priority values that you are filtering with.

something like this would probably help:

strace -o sshd.trace -s 1024 -f -p <pidofsshd>

make sure that sshd.trace is not user-accessible as it may contain
sensitive information.

you should look for strace entries that contain log messages that you
are interested in.

On Tue, 2009-01-06 at 08:41 -0500, Christopher Bland wrote:
> Hi guys,
> 
> Having a bit of trouble logging sshd messages to my host.  Sshd logs
> fine using syslog but I get nothing using Syslog-NG.  I tried changing
> the SyslogFacility to DAEMON in  sshd_config and still nothing.  I have
> the following lines in my config which should have caught something:
> 
> options {
>     sync (0);
>     time_reopen (10);
>     log_fifo_size (1000);
>     long_hostnames (off);
>     use_dns (no);
>     use_fqdn (no);
>     create_dirs (no);
>     keep_hostname (yes);
> };
> 
> source s_local {
>     file ("/proc/kmsg" log_prefix("kernel: "));
>     unix-dgram("/dev/log");
> #    unix-stream("/dev/log");
>     udp(ip(0.0.0.0) port(514));
>     tcp(ip(0.0.0.0) port(514));
>     internal();
> };
> 
> destination secure { file("/var/log/secure"); };
> destination messages { file("/var/log/messages"); };
> 
> filter f_daemon { facility(daemon); };
> filter f_authpriv { facility(auth, authpriv); };
> 
> log { source(s_local); filter(f_authpriv); destination(secure); };
> log { source(s_local); filter(f_daemon); destination(messages); };
> log { source(s_local);        destination(loghost); };
> 
> My sshd config looks like this:
> Protocol 2
> SyslogFacility AUTHPRIV
> PasswordAuthentication yes
> ChallengeResponseAuthentication no
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> UsePAM yes
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
> LC_MESSAGES
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> AcceptEnv LC_IDENTIFICATION LC_ALL
> Subsystem    sftp    /usr/libexec/openssh/sftp-server
> 
> Any help is apprciated

-- 
Bazsi

More information about the syslog-ng mailing list