SUSE Conversations


Syslog-ng – SSH Logging



By: DamianMyerscough

June 26, 2008 4:06 pm

Reads:3139

Comments:4

Rating:5.0

The syslog-ng application is a flexible and highly scalable system logging application that is ideal for creating centralized logging solutions. The main features of syslog-ng are; reliable log transfer, secure logging using SSL/TLS, IPv4 and IPv6 support and many others” (Syslog-ng, 2008).

Problem

In SUSE Linux Enterprise server you may have noticed that the SSH daemon logs are written to the /var/log/messages log file, this can be a little annoying because it makes spotting errors a little more tedious.

Solution

The solution that we will implement is by directing all SSH error into a log file called: “sshderr.log” and all other SSH activities sent to a log file called: “sshd.log“. The first task that we need to do is create a sshd directory within the /var/log directory as shown in Figure 1.

Server1:/var/log # mkdir /var/log/sshd

Figure 1: Creating the SSH log directory.

Once you have created the SSH log file you will need to create the two log files which were previously mentioned this can be done using the touch command as shown in Figure 2.

Server1:/var/log # touch /var/log/sshd/sshderr.log 
Server1:/var/log # touch /var/log/sshd/sshd.log 

Figure 2: Creating the two empty SSH log files.

Once you have created the two SSH log files you will need to modify the “syslog-ng.conf.in” configuration file located within the /etc/syslog-ng directory. Figure 3 shows the entries that you will need to add to the “syslog-ng.conf.in” configuration file. Table 1 explains what each line does.

# SSH Filters
filter f_sshderr    { match('^sshd\[[0-9]+\]: error:'); };
filter f_sshd       { match('^sshd\[[0-9]+\]:'); };

# SSH Logging
destination sshderr { file("/var/log/sshd/sshderr.log"); };
log { source(src); filter(f_sshderr); destination(sshderr); flags(final); };

destination sshd { file("/var/log/sshd/sshd.log"); };
log { source(src); filter(f_sshd); destination(sshd); flags(final); };

Figure 3: Modifying the “syslog-ng.conf.in” configuration file to enable SSH logging.

Entry Description
# SSH Filters This line is a comment and only there for human readability/reminder.
filter f_sshderr { match(‘^sshd\[[0-9]+\]: error:’); }; This line sets a filter statement which will weed out the following strings “sshd[]: error:”. Between the brackets any digits can exist there.
filter f_sshd { match(‘^sshd\[[0-9]+\]:’); }; This line sets a filter statement which will weed out the following strings “sshd[]:”. Between the brackets any digits can exist there.
# SSH Logging This line is a comment and only there for human readability/reminder.
destination sshderr { file(“/var/log/sshd/sshderr.log”); }; This line a destination for SSH errors i.e. /var/log/sshd/sshderr.log.
log { source(src); filter(f_sshderr); destination(sshderr); flags(final); }; This line combines the filter and the destination for logging.
destination sshd { file(“/var/log/sshd/sshd.log”); }; This line a destination for all other SSH activities i.e. /var/log/sshd/sshd.log.
log { source(src); filter(f_sshd); destination(sshd); flags(final); }; This line combines the filter and the destination for logging.

Table 1: Syslog-ng lines explained.

Once you have finished modifying the “syslog-ng.conf.in” configuration file you will need to run the SuSEconfig command to have the “syslog-ng.conf.in” configuration file written as shown in Figure 4.

Server1:/var/log/sshd # SuSEconfig
Starting SuSEconfig, the SuSE Configuration Tool...
Running in full featured mode.
Reading /etc/sysconfig and updating the system...
Executing /sbin/conf.d/SuSEconfig.automake...
Executing /sbin/conf.d/SuSEconfig.desktop-file-utils...
Executing /sbin/conf.d/SuSEconfig.fonts...
Creating fonts.{scale,dir} files ..........
....
....

Figure 4: Generating a new syslog-ng configuration file.

Once you have regenerated the syslog-ng configuration file you will need to restart the syslog-ng daemon using the service command as shown in Figure 5.

Server1:/var/log # service syslog restart
Shutting down syslog services                                         done
Starting syslog services                                              done

Figure 5: Restarting the syslog-ng daemon.

Once you have restarted the syslog-ng daemon you will notice that all SSH activities are now logged into their new log files and not the /var/log/messages log file.

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)
Syslog-ng - SSH Logging , 5.0 out of 5 based on 1 rating

Tags: , ,
Categories: SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

4 Comments

  1. By:7biohazard7

    If you use openSuse => 10.3 you should know that -

    /etc/sysconfig-ng/sysconfig-ng.conf:

    # NOTE: The SuSEconfig script and its syslog-ng.conf.in
    # configuration template aren’t used any more.
    #
    # Feel free to edit this file directly.

  2. By:DamianMyerscough

    Thank you for the feedback.

  3. By:coporativoaullox

    Check the files at /etc/logrotate.d/
    I recomend this:

    /var/log/sshd.log /var/log/sshderr.log {
    compress
    dateext
    maxage 365
    rotate 99
    size=+400k
    notifempty
    missingok
    copytruncate
    create 640 root root
    sharedscripts
    postrotate
    /etc/init.d/syslog reload
    endscript

    }

  4. By:woodsy_ca

    Thanks for the excellent info; really helped me understand the process. I’ve been trying to get SFTP logging working for users in a chroot jail, and this really helped.

    These are my additions to get sftp logging to work for chroot’d user…

    Edit /etc/syslog-ng/syslog-ng.conf.in:

    Added additional source:
    source src {
    internal ();
    @SuSEconfig_SOCKETS@
    unix-dgram(“/chroot-jail/dev/log”);
    }

    Added additional filter:
    filter f_sftp { match(‘^internal-sftp\[[0-9]+\]:’); };

    Added additional log path:
    log { source(src); filter(f_sftp); destination(sshd); flags(final); };

    Create the chroot dev directory:

    #mkdir /chroot-jail/dev
    /chroot-jail/ being whatever you have configured in /etc/ssh/sshd_config (I installed OpenSSH 5.2, which has chroot support built in; the version that accompanies SLES 10 does not).

    Run SuSEconfig and restart syslog (as noted above). You will see that /chroot-jail/dev/log device file is created by the syslog-ng daemon, and you should see the SSH and SFTP information appearing in /var/log/ssh/sshd.log. If you want more than connection information for SFTP, you will need to update your SSH configuration; i.e.:

    ForceCommand internal-sftp -l DEBUG1

Comment

RSS