System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Re: how to filter sshd in syslog.log to other file

 
SOLVED
Go to solution
Frequent Advisor

how to filter sshd in syslog.log to other file

I have a lot of messages like this in my /var/adm/syslog/syslog.log:

Nov 21 09:14:24 hostname sshd[13687]: Accepted password for oracle from 10.0.0.1 port 2831 ssh2
Nov 21 09:15:26 rubis sshd[14241]: Could not reverse map address 10.0.0.1.

How can I configure my /etc/syslog.conf in order to redirect these sshd messages to other file like /var/adm/syslog/sshd.log.

Right now I have configured ftpd and mail messages to other files.
4 REPLIES 4
Exalted Contributor

Re: how to filter sshd in syslog.log to other file

Honored Contributor

Re: how to filter sshd in syslog.log to other file

Hi

How about:-
Cat syslog.log | grep sshd > sshd.log


Pqaula
If you can spell SysAdmin then you is one - anon
Honored Contributor
Solution

Re: how to filter sshd in syslog.log to other file

Change sshd's syslog facility in /etc/opt/ssh/sshd_config.

Then edit /etc/syslog.conf to log that facility to a different file.

eg:

local1.debug /var/adm/syslog/sshd.log

Make sure you add 'local1.none' to other rules or you still get sshd entries in the system log files.

Restart sshd and syslogd.

HTH.
Honored Contributor

Re: how to filter sshd in syslog.log to other file

Change these lines in /etc/opt/ssh/sshd_config

SyslogFacility AUTH
LogLevel INFO

Then restart sshd.

Then add this line to /etc/syslog.conf

auth.info;mail.none /var/adm/syslog/sshd.log

Then restart syslogd and youre done!
Im from Palmerston North, New Zealand, but somehow ended up in London...