[syslog-ng] Try again: What's wrong with my config?

Laszlo Szemere (lszemere) Laszlo.Szemere at oneidentity.com
Tue Apr 13 07:19:45 UTC 2021 

Hello Dan,

Just before the list went down Fabien Wernli <wernli at in2p3.fr> replied to your message, pointing out that the "sshd" program name was misspelled in your configuration to "ssdhd". Can you check please, if that was only a typo in your email to the list, or your original configuration is affected too?

Br,
Laci

________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Dan Egli <dan at newideatest.site>
Sent: Tuesday, April 13, 2021 09:14
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] Try again: What's wrong with my config?

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


Okay. I'm completely stumped on this, and just before the list went down I was hoping someone could help me with this.

I'm trying to break everything out of the monolithic /var/log/messages and place each service in it's own log file. To that extent, I created the following config file:

syslog-ng config:

@version: 3.30

@include "scl.conf"

options {
        threaded(yes);
        chain_hostnames(no);

        stats_freq(43200);
        mark_freq(3600);
};

source src { system(); internal(); };
filter samba { program("samba") or program("nmbd") or program("smbd"); };
filter sshd { program("ssdhd"); };
filter syslog { not filter(sshd) and not filter(samba); };
destination console { file("/dev/tty12"); };
destination messages { file("/var/log/messages"); };
destination sshd_log { file("/var/log/sshd/sshd.log"); };

log { source(src); filter(sshd);   destination(sshd_log); flags(final); };
log { source(src); filter(syslog); destination(console); };
log { source(src); filter(syslog); destination(messages); };


so, as I understand the logic. The three log { } lines do this:
log { source(src); filter(sshd);   destination(sshd_log); flags(final); };       Anything from sshd gets written to the /var/log/sshd/sshd.log. Nothing else goes here.
log { source(src); filter(syslog); destination(console); };                     Anything that is not from sshd, not from smbd, not from sabma and not from nmbd goes to the /dev/tty12 device
log { source(src); filter(syslog); destination(messages); };                    likewises for /var/log/messages.


Is my understanding correct? If so, WHY do I see ssh log entries in /var/log/messages? And how do I stop it!? sshd messages should ONLY show up in /etc/sshd/sshd.log.

jupiter ~ # grep sshd /var/log/messages | head -n 2
Apr 13 00:00:50 jupiter sshd[14721]: Received disconnect from <IP> port 18726:11:  [preauth]
Apr 13 00:00:50 jupiter sshd[14721]: Disconnected from <IP> port 18726 [preauth]

Thanks!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20210413/ad856b72/attachment-0001.html>

More information about the syslog-ng mailing list