HPE Community
Operating System - HP-UX
1824913 Members
3922 Online
109677 Solutions
New Discussion юеВ

sshd2_config logging: use which facility?

 
SOLVED
Go to solution
Lonny Balderston
Frequent Advisor

тАО05-12-2006 06:29 AM

тАО05-12-2006 06:29 AM

sshd2_config logging: use which facility?

Greetings,

I wish to point my sshd logging to a file other than the system log. I think I understand how to do this, but do not know which logging facility to use; I do not want to interfere with the OS in any way.

Current config:
# grep SyslogFacility /etc/ssh2/sshd2_config
# SyslogFacility AUTH
# SyslogFacility LOCAL7
commented out....

# cat /etc/syslog.conf
# @(#) $Revision: 74.1 $
#
# syslogd configuration file.
#
# See syslogd(1M) for information about the format of this file.
#
mail.debug /var/adm/syslog/mail.log
*.info;mail.none;local5.none /var/adm/syslog/syslog.log
local5.info;mail.none /var/adm/syslog/ftp.log
*.alert /dev/console
*.alert root
*.emerg *
# 20060511 added for sshd2 message routing; LB:
[which facility?].debug;mail.none /var/adm/syslog/sshd2.log

Thank you.
0 Kudos
Reply
9 REPLIES 9
Ivan Ferreira
Honored Contributor

тАО05-12-2006 08:26 AM

тАО05-12-2006 08:26 AM

Solution

Re: sshd2_config logging: use which facility?

Uncomment

SyslogFacility LOCAL7

Restart sshd.

Configure /etc/syslog.conf:

local7.debug;mail.none /var/adm/syslog/sshd2.log

Send HUP signal to the syslogd daemon.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Ivan Ferreira
Honored Contributor

тАО05-12-2006 08:28 AM

тАО05-12-2006 08:28 AM

Re: sshd2_config logging: use which facility?

In fact, mail.none is not needed, just configure:

local7.debug /var/adm/syslog/sshd2.log

BTW, I just tested, it works.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Darrel Louis
Honored Contributor

тАО05-12-2006 08:32 AM

тАО05-12-2006 08:32 AM

Re: sshd2_config logging: use which facility?

Hi,

If sshd is de only service/app using local7
you can use the following:

local7.* /var/adm/syslog/sshd2.log

Don't forget to use the tab!

Goodluck

Darrel
Reply
Lonny Balderston
Frequent Advisor

тАО05-12-2006 10:30 AM

тАО05-12-2006 10:30 AM

Re: sshd2_config logging: use which facility?

> If sshd is de only service/app using local7

Precisely; how do I tell if local7 (or any other service/app) is in use?

Thanks. Points pending for all.
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО05-12-2006 12:18 PM

тАО05-12-2006 12:18 PM

Re: sshd2_config logging: use which facility?

Is not easy to say. I think that the only way is to know if the configuration file for other serivice is pointing to local7 or if you see messages for other services in the sshd2.log file.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Darrel Louis
Honored Contributor

тАО05-12-2006 05:07 PM

тАО05-12-2006 05:07 PM

Re: sshd2_config logging: use which facility?

Hi Lonny,

I always check the log-file, what's being logged and then try to create a standard syslogd.conf file which will be spread to all the servers to create a standard.
But that needs time to investigate.

Darrel
0 Kudos
Reply
RAC_1
Honored Contributor

тАО05-12-2006 06:07 PM

тАО05-12-2006 06:07 PM

Re: sshd2_config logging: use which facility?

As you increase the logging level, you would get logs file with more and more details. And yes log files will grow fast. I would set it to 3. In case you have problem you can always increase the log level and analyze the messages.
There is no substitute to HARDWORK
0 Kudos
Reply
Lonny Balderston
Frequent Advisor

тАО05-16-2006 09:44 AM

тАО05-16-2006 09:44 AM

Re: sshd2_config logging: use which facility?

Thank you all!

For those attempting "Redirect sshd2 messages, not to syslog" using this post:
- point ssh's SyslogFacility to local7 in /etc/ssh2/sshd2_config
- add to /etc/syslog.conf "local7.debug[tab]/var/adm/syslog/sshd2.log" and modify your syslog.log line to omit local7 "*.info;mail.none;local5.none;local7.none[tab]/var/adm/syslog/syslog.log"
- restart ssh (from GSP and after hours, dumps ssh sessions)
- restart syslogd
- check syslog/sshd2log for operation
= and that's it!
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО05-16-2006 10:01 AM

тАО05-16-2006 10:01 AM

Re: sshd2_config logging: use which facility?

There is no way to know whether a particular program uses one of the local# facilities. There are two ways to see this:

1. Add the local7 facility to syslog.conf then check it to see if anything else shows up...

2. Restart syslogd with the -v option. From now on, there will be two additional numbers in syslog which will show the facility and priority values in syslog files:

From man 3c syslog


Priority

0 = EMERG
1 = ALERT
2 = CRIT
3 = ERR
4 = WARNING
5 = NOTICE
6 = INFO
7 = DEBUG

Facility

A = KERN
B = USER
C = MAIL
D = DAEMON
E = AUTH
F = SYSLOG
G = LPR
H = NEWS
I = UUCP
J = CRON
Q = LOCAL0
R = LOCAL1
S = LOCAL2
T = LOCAL3
U = LOCAL4
V = LOCAL5
W = LOCAL6
X = LOCAL7

NOTE: syslog.conf is processed one line at a time. Unless specifically excluded, LOCAL7 will be logged in the normal syslog.log file as well as the sshd2.log file.


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.