HPE Community
Operating System - HP-UX
1830973 Members
2408 Online
110018 Solutions
New Discussion

syslogd: sshd not logging to separate file

 
SOLVED
Go to solution
Ralph Grothe
Honored Contributor

‎12-09-2004 04:13 AM

‎12-09-2004 04:13 AM

syslogd: sshd not logging to separate file

Hi,

what the hack is wrong with this config?


# grep -v ^# /etc/syslog.conf
mail.debug /var/adm/syslog/mail.log
local6.debug /var/adm/syslog/sshd.log
*.info;local6,mail.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *


# grep -E '^Syslog|LogLevel' /opt/ssh/etc/sshd_config
SyslogFacility LOCAL6
LogLevel INFO


# /sbin/init.d/secsh start
HP-UX Secure Shell started

# ps -fp $(cat /var/run/sshd.pid)
UID PID PPID C STIME TTY TIME COMMAND
root 29239 1 0 18:06:47 ? 0:01 /opt/ssh/sbin/sshd -f /opt/ssh/etc/sshd_config


# ps -fp $(cat /var/run/syslog.pid)
UID PID PPID C STIME TTY TIME COMMAND
root 502 1 0 Dec 7 ? 0:00 /usr/sbin/syslogd -D


# kill -HUP $(cat /var/run/syslog.pid) && tail -1 /var/adm/syslog/syslog.log
Dec 9 18:11:02 jupiter syslogd: restart


But there is no separate sshd.log

# ll /var/adm/syslog/{syslog,sshd}.log
/var/adm/syslog/sshd.log not found
-rw-r--r-- 1 root root 288294 Dec 9 18:12 /var/adm/syslog/syslog.log



Madness, thy name is system administration
0 Kudos
22 REPLIES 22
Fred Ruffet
Honored Contributor

‎12-09-2004 04:20 AM

‎12-09-2004 04:20 AM

Re: syslogd: sshd not logging to separate file

you ask for info6.debug to log into this particular file. info6.info is logged to syslog.log.

To log ssh to this particular file, you should have this line in /etc/syslog.conf :
local6.info /var/adm/syslog/sshd.log
then restart syslod with "kill -1"

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
0 Kudos
Sanjay_6
Honored Contributor

‎12-09-2004 04:21 AM

‎12-09-2004 04:21 AM

Re: syslogd: sshd not logging to separate file

hi,

Try this in your /etc/syslog.conf file,

local6.info /var/adm/syslog/sshd.log

restart syslogd.

Hope this helps.

regds

0 Kudos
RAC_1
Honored Contributor

‎12-09-2004 04:25 AM

‎12-09-2004 04:25 AM

Re: syslogd: sshd not logging to separate file

You need as follows.

local6.info /var/adm/syslog/sshd.log
Restart syslod after changes are made.

Anil
There is no substitute to HARDWORK
0 Kudos
Ralph Grothe
Honored Contributor

‎12-09-2004 04:37 AM

‎12-09-2004 04:37 AM

Re: syslogd: sshd not logging to separate file

Hm, I thought level debug were lowest priority so that every utter should be logged.

I changed from debug to info.
I also tried with the sshd.log line above and below the facility "none" line.
It didn't work either way.


[root@jupiter:/etc]
# cat /etc/syslog.conf
# @(#) $Revision: 74.1 $
#
# syslogd configuration file.
#
# See syslogd(1M) for information about the format of this file.
#
mail.debug /var/adm/syslog/mail.log
*.info;local6,mail.none /var/adm/syslog/syslog.log
local6.info /var/adm/syslog/sshd.log
*.alert /dev/console
*.alert root
*.emerg *
[root@jupiter:/etc]
# kill -HUP $(cat /var/run/syslog.pid) && tail -1 /var/adm/syslog/syslog.log
Dec 9 18:33:38 jupiter syslogd: restart
[root@jupiter:/etc]
# ll /var/adm/syslog/sshd.log
/var/adm/syslog/sshd.log not found


Madness, thy name is system administration
0 Kudos
Geoff Wild
Honored Contributor

‎12-09-2004 04:38 AM

‎12-09-2004 04:38 AM

Re: syslogd: sshd not logging to separate file

Do you have a "tab" between local6.info and /var/adm/syslog/sshd.log?

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Fred Ruffet
Honored Contributor

‎12-09-2004 04:42 AM

‎12-09-2004 04:42 AM

Re: syslogd: sshd not logging to separate file

sshd.log will only be created when needed for the first entry to put. Not at syslogd start.

Connect a new ssh session. Then file will be there.

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
0 Kudos
Paul F. Carlson
Valued Contributor

‎12-09-2004 04:49 AM

‎12-09-2004 04:49 AM

Re: syslogd: sshd not logging to separate file

Try removing the local6 from the following line, that should work.

*.info;local6,mail.none /var/adm/syslog/syslog.log

should look like:

*.info;mail.none /var/adm/syslog/syslog.log
Link down -- cable problem?
0 Kudos
Ralph Grothe
Honored Contributor

‎12-09-2004 04:51 AM

‎12-09-2004 04:51 AM

Re: syslogd: sshd not logging to separate file

Of course did I connect with ssh to the box right after reinitialization of syslogd.

Even this doesn't appear


[root@jupiter:/var/adm/syslog]
# logger -t HELP -p local6.info "a useless test string"
[root@jupiter:/var/adm/syslog]
# grep HELP syslog.log
[root@jupiter:/var/adm/syslog]
# ll -rt
total 70822
-rw-r--r-- 1 root root 7582739 Apr 5 2002 OLDsyslog.log.gz
-rw-r--r-- 1 root sys 3587637 Mar 30 2004 syslog.log_20030901-20040301.gz
-r--r--r-- 1 root root 2858664 Jul 1 01:58 syslog.log.6
-rw-r--r-- 1 root root 2657657 Aug 1 01:58 syslog.log.5
-r--r--r-- 1 root root 2688924 Sep 1 01:58 syslog.log.4
-r--r--r-- 1 root root 865999 Oct 1 02:00 syslog.log.3
-rw-r--r-- 1 root root 129790 Nov 1 01:59 syslog.log.2
-rw-r--r-- 1 root sys 4126357 Nov 29 11:24 syslog.log_till_200411291124.gz
-rw-r--r-- 1 root root 146258 Dec 1 01:58 syslog.log.1
-r--r--r-- 1 root root 618878 Dec 7 21:48 OLDsyslog.log
-r--r--r-- 1 root root 10368478 Dec 9 09:15 mail.log
-rw-r--r-- 1 root root 290716 Dec 9 18:50 syslog.log
Madness, thy name is system administration
0 Kudos
Geoff Wild
Honored Contributor

‎12-09-2004 04:53 AM

‎12-09-2004 04:53 AM

Re: syslogd: sshd not logging to separate file

Fred, actually - a restart of syslogd will create all log files required - if they don't exist.

I know, just did it with:

# @(#)B.11.11_LR
#
# syslogd configuration file.
#
# See syslogd(1M) for information about the format of this file.
#
mail.debug /var/adm/syslog/mail.log
daemon.info;mail.none /var/adm/syslog/daemon.log
#local5.info;mail.none /var/adm/syslog/ftpd.log
*.info;mail.none,daemon.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *

Didn't have a daemon.log file - and upon restart of syslogd, the file was created with 0 bytes.

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
RAC_1
Honored Contributor

‎12-09-2004 04:56 AM

‎12-09-2004 04:56 AM

Re: syslogd: sshd not logging to separate file

Try with follows.

local3.info /var/adm/syslog/sshd.log

There is a "TAB" between columns.
There is no substitute to HARDWORK
0 Kudos
Ralph Grothe
Honored Contributor

‎12-09-2004 04:58 AM

‎12-09-2004 04:58 AM

Re: syslogd: sshd not logging to separate file

Eh, horizontal tab was 0x09 and should appear as ^I or \t wasn't it?

# xd -c /etc/syslog.conf
0000000 # @ ( # ) $ R e v i s i o n
0000010 : 7 4 . 1 $ \n # \n # s y s
0000020 l o g d c o n f i g u r a t i
0000030 o n f i l e . \n # \n # S e e
0000040 s y s l o g d ( 1 M ) f o r
0000050 i n f o r m a t i o n a b o
0000060 u t t h e f o r m a t o f
0000070 t h i s f i l e . \n # \n m a
0000080 i l . d e b u g \t \t / v a r / a
0000090 d m / s y s l o g / m a i l . l
00000a0 o g \n * . i n f o ; l o c a l 6
00000b0 , m a i l . n o n e \t / v a r /
00000c0 a d m / s y s l o g / s y s l o
00000d0 g . l o g \n l o c a l 6 . i n f
00000e0 o / v
00000f0 a r / a d m / s y s l o g / s s
0000100 h d . l o g \n * . a l e r t \t \t
0000110 \t / d e v / c o n s o l e \n * .
0000120 a l e r t \t \t \t r o o t \n * . e
0000130 m e r g \t \t \t * \n
0000139
Madness, thy name is system administration
0 Kudos
Fred Ruffet
Honored Contributor

‎12-09-2004 05:03 AM

‎12-09-2004 05:03 AM

Re: syslogd: sshd not logging to separate file

looking at man syslod you were right to say setting debug level to this file will send info level message to it too.

Have you tried with sshd_config defaults (AUTH.INFO) ?

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
0 Kudos
Ralph Grothe
Honored Contributor

‎12-09-2004 05:05 AM

‎12-09-2004 05:05 AM

Re: syslogd: sshd not logging to separate file

Guys, I'm getting mad,
this has been a too long day.

On the failover node saturn I have it configured (almost) alike, and it works there.

[root@saturn:/root]
# cat /etc/syslog.conf
# @(#) $Revision: 1.2 $
#
# syslogd configuration file.
#
# See syslogd(1M) for information about the format of this file.
#
mail.debug /var/adm/syslog/mail.log
*.info;daemon,mail.none /var/adm/syslog/syslog.log
daemon.debug /var/adm/syslog/daemon.log
local6.debug /var/adm/syslog/sshd.log
local7.debug /var/adm/syslog/sshd_p7777.log
*.alert /dev/console
*.alert root
*.emerg *

[root@saturn:/root]
# logger -t TESTME -p local6.info Hello\ World

[root@saturn:/root]
# tail -1 /var/adm/syslog/sshd.log
Dec 9 19:02:09 saturn TESTME: Hello World
Madness, thy name is system administration
0 Kudos
Ralph Grothe
Honored Contributor

‎12-09-2004 05:08 AM

‎12-09-2004 05:08 AM

Re: syslogd: sshd not logging to separate file

Fred,

at least on saturn this isn't necessary,
it works well with LOCAL6 (this is also in accordance with what sshd_config's manpage reads)

[root@saturn:/root]
# grep -E ^Syslog\|LogLevel /opt/ssh/etc/sshd_config
SyslogFacility LOCAL6
LogLevel INFO
Madness, thy name is system administration
0 Kudos
Fred Ruffet
Honored Contributor

‎12-09-2004 05:08 AM

‎12-09-2004 05:08 AM

Re: syslogd: sshd not logging to separate file

One thing I see is on jupiter, you have local6.none for syslog.log. It should be OK, but as long as they act different, try to remove local6 from syslog.log line.

Regards,

Fred

--

"Reality is just a point of view." (P. K. D.)
0 Kudos
Ralph Grothe
Honored Contributor

‎12-09-2004 05:13 AM

‎12-09-2004 05:13 AM

Re: syslogd: sshd not logging to separate file

Oops, already past 7.
I have to leave,
will be fumbling on tomorrow.
If I can't sort it out, I'll simply take the working config from saturn...
Madness, thy name is system administration
0 Kudos
Geoff Wild
Honored Contributor

‎12-09-2004 05:14 AM

‎12-09-2004 05:14 AM

Re: syslogd: sshd not logging to separate file

Okay - which ssh are you using? HP Secure Shell?

I tried local6 and local7 - still ssh is logged to syslog....

Rgds..Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Geoff Wild
Honored Contributor

‎12-09-2004 05:20 AM

‎12-09-2004 05:20 AM

Solution

Re: syslogd: sshd not logging to separate file

Okay - got it to work - forgot to change logging in sshd_config

SyslogFacility LOCAL6
LogLevel INFO


# @(#)B.11.11_LR
#
# syslogd configuration file.
#
# See syslogd(1M) for information about the format of this file.
#
mail.debug /var/adm/syslog/mail.log
daemon.info;mail.none /var/adm/syslog/daemon.log
local6.debug /var/adm/syslog/sshd.log
#local5.info;mail.none /var/adm/syslog/ftpd.log
*.info;mail.none,daemon.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *


Logging now works to ssh.log

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Geoff Wild
Honored Contributor

‎12-09-2004 05:23 AM

‎12-09-2004 05:23 AM

Re: syslogd: sshd not logging to separate file

I still think there is no TAB in your syslog.conf:

l o c a l 6 . i n f
00000e0 o / v
00000f0 a r / a d m / s y s l o g / s s
0000100 h d . l o g \n

Should be

l o c a l 6 . i n f
00000e0 o \t / v
00000f0 a r / a d m / s y s l o g / s s
0000100 h d . l o g \n

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Sanjay_6
Honored Contributor

‎12-09-2004 05:26 AM

‎12-09-2004 05:26 AM

Re: syslogd: sshd not logging to separate file

Hi Ralph,

Is it possible you are sourcing the sshd_config file from somewhere else other than the one you are editing to change the logging level to local6.

Some versions of ssh has the sshd_config file in /usr/local/etc.

Hope this helps.

Regds
0 Kudos
Ralph Grothe
Honored Contributor

‎12-09-2004 07:43 PM

‎12-09-2004 07:43 PM

Re: syslogd: sshd not logging to separate file

Morning again,

Geoff you got it!

This was all caused by such an annyoingly trivial but concealed parsing error by sshd of syslog.conf.
I only should have read the syslogd mapage carefully.
There it says:

"The action field is separated from the selector by one or more tabs."

So it wasn't the usual "any whitespace",
and I really had a single space (\040) instead of horizontal tab (\011) as field separator.

After fixing this the sshd.log was instantly created and populated with my logger string.


[root@jupiter:/etc]
# logger -t HELP -p local6.info "a useless test string"
[root@jupiter:/etc]
# ll /var/adm/syslog/
total 70824
-r--r--r-- 1 root root 618878 Dec 7 21:48 OLDsyslog.log
-rw-r--r-- 1 root root 7582739 Apr 5 2002 OLDsyslog.log.gz
-r--r--r-- 1 root root 10369440 Dec 9 23:38 mail.log
-r--r--r-- 1 root root 52 Dec 10 09:34 sshd.log
-rw-r--r-- 1 root root 343125 Dec 10 09:34 syslog.log
-rw-r--r-- 1 root root 146258 Dec 1 01:58 syslog.log.1
-rw-r--r-- 1 root root 129790 Nov 1 01:59 syslog.log.2
-r--r--r-- 1 root root 865999 Oct 1 02:00 syslog.log.3
-r--r--r-- 1 root root 2688924 Sep 1 01:58 syslog.log.4
-rw-r--r-- 1 root root 2657657 Aug 1 01:58 syslog.log.5
-r--r--r-- 1 root root 2858664 Jul 1 01:58 syslog.log.6
-rw-r--r-- 1 root sys 3587637 Mar 30 2004 syslog.log_20030901-20
040301.gz
-rw-r--r-- 1 root sys 4126357 Nov 29 11:24 syslog.log_till_200411
291124.gz
[root@jupiter:/etc]
# cat /var/adm/syslog/sshd.log
Dec 10 09:34:31 jupiter HELP: a useless test string
Madness, thy name is system administration
0 Kudos
Ralph Grothe
Honored Contributor

‎12-09-2004 07:55 PM

‎12-09-2004 07:55 PM

Re: syslogd: sshd not logging to separate file


Problem resulted from an invalid separator string between facility and action field of /etc/syslog.conf.
Where one or more horizontal tab(s) (i.e. ASCII \011) should have been used erraneously a single space (ASCII \040) had been used.

Madness, thy name is system administration
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.