HPE Community
Operating System - HP-UX
1828809 Members
2703 Online
109985 Solutions
New Discussion

Re: syslog question

 
Andrew Kaplan
Super Advisor

‎10-07-2010 12:52 PM

‎10-07-2010 12:52 PM

syslog question

Hi there --

I am running HP-UX 11.00, and I reconfigured the /etc/syslog.conf file to copy its contents to a central log server by adding several lines to the existing file. The syntax that I used is shown below:

# Copy the contents of the syslog file to the syslog server.
*.info;mail.none @
*.alert @
*.emerg @
mail.debug @

After I made the changes to the syslog.conf file, I stopped and restarted the service via the /sbin/init.d/syslogd script.

Since that time, there have not been any updates to the /var/adm/syslog/syslog.log file. I am not sure if the fault is with the syntax that I used in the file, or not properly restarting the service.

Can someone provide information on this issue? Thanks.


A Journey In The Quest Of Knowledge
0 Kudos
Reply
8 REPLIES 8
Patrick Wallek
Honored Contributor

‎10-07-2010 01:00 PM

‎10-07-2010 01:00 PM

Re: syslog question

All white space in the file MUST be TABs.

*.info;mail.none@
...
...
...

If you just hit the space bar for white space, then it won't work.
0 Kudos
Reply
Andrew Kaplan
Super Advisor

‎10-07-2010 02:17 PM

‎10-07-2010 02:17 PM

Re: syslog question

Hi there --

Thanks for your reply. I re-entered the lines in question, and restarted the syslog daemon. When I logged in, and then changed to root user, there was a new entry added to the syslog.log file.

As a follow-up question: If I want to have all instances of ssh connections made to the system in question recorded to syslog.log, what syntax would I add to the configuration file? Thanks.
A Journey In The Quest Of Knowledge
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎10-07-2010 06:32 PM

‎10-07-2010 06:32 PM

Re: syslog question

syslog does not control application logging. (man syslogd) If the application (ie, sshd) sends data to the syslogd daemon, it will be logged according to the general rules for facility and priority. There are many options to control what ssh messages are sent to syslog as well as the facility and priority.

man sudoers

Also, man sshd shows the -q option to silence all sshd syslog entries.


Bill Hassell, sysadmin
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎10-07-2010 07:08 PM

‎10-07-2010 07:08 PM

Re: syslog question

>>man sudoers

'sudoers'???? I think Bill probably meant on of the 'ssh man pages. You should probably investigate the 'sshd' man page as well as the sshd_config and ssh_config man pages.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎10-08-2010 11:48 AM

‎10-08-2010 11:48 AM

Re: syslog question

@patrick: man sudoers?

Yep. The sudoers man page covers a number of sshd logging options such as:

log_host
log_year
loglinelen
syslog_goodpri
syslog_badpri
logfile
syslog

These are set in the Defaults section of the sudoers file.


Bill Hassell, sysadmin
0 Kudos
Reply
Andrew Kaplan
Super Advisor

‎10-08-2010 01:58 PM

‎10-08-2010 01:58 PM

Re: syslog question

Maybe the question I should ask is where does ssh generate a log file? I checked the Loggin section of the sshd_config file, and the only entries present are the following:

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

Do I need to add an entry that will generate a log file? If so, what would be the correct syntax?
A Journey In The Quest Of Knowledge
0 Kudos
Reply
Andrew Kaplan
Super Advisor

‎10-08-2010 02:10 PM

‎10-08-2010 02:10 PM

Re: syslog question

I think I found the answer. If I uncomment the LogLevel line in the sshd_config line, to read as:

LogLevel INFO

and then restart the sshd daemon. That should generate entries into the syslog.log file.

Correct?

A Journey In The Quest Of Knowledge
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎10-08-2010 03:05 PM

‎10-08-2010 03:05 PM

Re: syslog question

Oops, sudoers has nothing to do with sshd. That's what happens when you have two screens active at the same time and only 1 keyboard.

Of course sshd_config is the location to control ssh logging. You can control the level (priority) of the logged messages as well as sftp transfers. The -q (if sshd is started with that option) turns off syslog from sshd.

To generate a separate file for sshd entries, there are the SyslogFacility and SftpLogFacility. Change the default (AUTH) to something like LOCAL6 and then modify the syslog.conf file to generate a new log called local6.log for sshd.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.