I just had a sshd session with PID 32322 which lacked the debug log
message.
The strace (exactly the command you stated above) looks for me like
the debug log messages are written to /dev/log
But I am no strace reading expert. Does this strace look healthy like
the logging to /dev/log works for the debug log messages?
32322 08:19:16.728548 sendto(4, "<151>May 11 08:19:16 sftpd[32322]:
debug2: MACs ctos:
hmac-md5-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxxx,umac-64-etm@o
penssh.com,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-et"...,
466, MSG_NOSIGNAL, NULL, 0 <unfinished ...>
32322 08:19:16.729521 sendto(4, "<151>May 11 08:19:16 sftpd[32322]:
debug2: MACs stoc:
hmac-md5-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxxx,umac-64-etm@o
penssh.com,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-et"...,
466, MSG_NOSIGNAL, NULL, 0 <unfinished ...>
If one of these messages didn't arrive in your logfile, then UDP packet
loss
looks like a good explanation.
2) Is syslog-ng configured to relay the data? If yes, and using UDP,
some log entries might simply be missing because of congestion.
Yes local syslog-ng filters the relevant debug messages (facility
local2) and sends them via UDP to a remote syslog-ng server.
My "man rsyslog.conf" says
omrelp
Output module for the reliable RELP protocol (prevents message loss)
Even TCP can lose messages: the ones in transmit when a connection
breaks.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
