> 2) Is syslog-ng configured to relay the data? If yes, and using UDP,
> some log entries might simply be missing because of congestion.
I log locally, the syslog-ng config is plain simple:
source s_src {
system(); # this is /dev/log on Linux
internal(); # this is only for error messages from syslog-ng itself
};
filter f_local2 { facility(local2); }; # sshd is configured with "SyslogFacility local2"
filter f_ssh_auth_wanted {
not level(debug)
or message("^debug2: MACs ctos: ")
or message("^debug1: kex: client->server cipher: ")
or message("^debug2: KEX algorithms: ")
or message("^debug2: host key algorithms: ")
or message("^debug1: kex: host key algorithm: ")
or message("^debug2: ciphers ctos: ");
};
destination d_ssh_auth {
file("/var/log/app/ssh/auth.log" flush_lines(10) );
};
log {
source(s_src);
filter(f_local2);
filter(f_ssh_auth_wanted);
destination(d_ssh_auth);
};
# delete all other unwanted sshd debug messages (no destination = no action = "delete")
log {
source(s_src);
filter(f_local2);
flags(final);
};
I have no clue why the debug messages that match on the filter (e.g. "debug2: host key algorithms: ssh-rsa,ssh-dss [preauth]") are only logged _sometimes_ in /var/log/app/ssh/auth.log and not together with every "Accepted password" log entry.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
