1) verifying that sshd is actually doing this (maybe via strace or
similar?)
Could someone please lead me how exactly to do this? I would be really
glad to check if sshd really always sends the debug log to syslog-ng
for every "Accepted password" line,
to pin this issue down.
Use a command like
strace -f -tt -s 200 -o /tmp/logfile.txt -p <pid of sshd>
Then you'd have to verify what gets written in the logfile to the data
in your syslog.....
Also, everything the users do is in the logfile -- that might make
that approach unsuitable as well.
The log looks like this in 46 cases yesterday, and only in one case I
see the debug log lines (e.g. "debug1: kex: host key algorithm:
ssh-rsa [preauth]") between the
"Connection from" and "Accepted password" log lines, for the session
(same PID).
There are also not only some lines missing some times, the log just
misses all of the session corresponding debug log lines, or all are
there.
1) Do you have a per-client configuration in your sshd_config?
Look for a "Match" block, also in included files.
2) Is syslog-ng configured to relay the data? If yes, and using UDP,
some log entries might simply be missing because of congestion.
3) I'd be happy to take a look at a log file (send it privately);
if you're not happy about that, I'd fully understand.
(I don't have a script ready to anonymize such log files, sadly -
and TBH, changing the one I have for HTTP access logs right now is
too much effort, and might also go wrong.)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
