topic Re: syslog question in Operating System - HP-UX

syslog question

Andrew Kaplan — Thu, 07 Oct 2010 19:52:10 GMT

Hi there --

I am running HP-UX 11.00, and I reconfigured the /etc/syslog.conf file to copy its contents to a central log server by adding several lines to the existing file. The syntax that I used is shown below:

# Copy the contents of the syslog file to the syslog server.
*.info;mail.none @
*.alert @
*.emerg @
mail.debug @

After I made the changes to the syslog.conf file, I stopped and restarted the service via the /sbin/init.d/syslogd script.

Since that time, there have not been any updates to the /var/adm/syslog/syslog.log file. I am not sure if the fault is with the syntax that I used in the file, or not properly restarting the service.

Can someone provide information on this issue? Thanks.

Re: syslog question

Patrick Wallek — Thu, 07 Oct 2010 20:00:26 GMT

All white space in the file MUST be TABs.

*.info;mail.none@
...
...
...

If you just hit the space bar for white space, then it won't work.

Re: syslog question

Andrew Kaplan — Thu, 07 Oct 2010 21:17:01 GMT

Hi there --

Thanks for your reply. I re-entered the lines in question, and restarted the syslog daemon. When I logged in, and then changed to root user, there was a new entry added to the syslog.log file.

As a follow-up question: If I want to have all instances of ssh connections made to the system in question recorded to syslog.log, what syntax would I add to the configuration file? Thanks.

Re: syslog question

Bill Hassell — Fri, 08 Oct 2010 01:32:11 GMT

syslog does not control application logging. (man syslogd) If the application (ie, sshd) sends data to the syslogd daemon, it will be logged according to the general rules for facility and priority. There are many options to control what ssh messages are sent to syslog as well as the facility and priority.

man sudoers

Also, man sshd shows the -q option to silence all sshd syslog entries.

Re: syslog question

Patrick Wallek — Fri, 08 Oct 2010 02:08:41 GMT

>>man sudoers

'sudoers'???? I think Bill probably meant on of the 'ssh man pages. You should probably investigate the 'sshd' man page as well as the sshd_config and ssh_config man pages.

Re: syslog question

Bill Hassell — Fri, 08 Oct 2010 18:48:21 GMT

@patrick: man sudoers?

Yep. The sudoers man page covers a number of sshd logging options such as:

log_host
log_year
loglinelen
syslog_goodpri
syslog_badpri
logfile
syslog

These are set in the Defaults section of the sudoers file.

Re: syslog question

Andrew Kaplan — Fri, 08 Oct 2010 20:58:18 GMT

Maybe the question I should ask is where does ssh generate a log file? I checked the Loggin section of the sshd_config file, and the only entries present are the following:

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

Do I need to add an entry that will generate a log file? If so, what would be the correct syntax?

Re: syslog question

Andrew Kaplan — Fri, 08 Oct 2010 21:10:32 GMT

I think I found the answer. If I uncomment the LogLevel line in the sshd_config line, to read as:

LogLevel INFO

and then restart the sshd daemon. That should generate entries into the syslog.log file.

Correct?

Re: syslog question

Bill Hassell — Fri, 08 Oct 2010 22:05:27 GMT

Oops, sudoers has nothing to do with sshd. That's what happens when you have two screens active at the same time and only 1 keyboard.

Of course sshd_config is the location to control ssh logging. You can control the level (priority) of the logged messages as well as sftp transfers. The -q (if sshd is started with that option) turns off syslog from sshd.

To generate a separate file for sshd entries, there are the SyslogFacility and SftpLogFacility. Change the default (AUTH) to something like LOCAL6 and then modify the syslog.conf file to generate a new log called local6.log for sshd.