On Sat, 18 Mar 2023, Carsten Andrich wrote:
Date: Sat, 18 Mar 2023 18:16:44 +0100
From: Carsten Andrich <carsten.andrich@xxxxxxxxxxxxx>
To: David Lang <david@xxxxxxx>
Cc: openssh-unix-dev@xxxxxxxxxxx
Subject: Re: Minimize sshd log clutter/spam from unauthenticated connections
On 18.03.23 14:34, David Lang wrote:
modern syslog daemons (including rsyslog, which is default on just about
every linux system) allow you to filter efficiently on the message
contents, not just the severity, so you can opt to throw out the messages
you don't want.
I advocate for a slightly different way of dealing with it, filter these
messages from your main logstream, but put them into either a script
directly, or a separate file and have a script run against it. Have the
script report the number of these messgaes that you get in a time period
(minute, hour, whatever you want) and log that count back into your log
stream
as Marcus Ranum said in his Artificial Ignorance writeup, the number of
times that an uninteresting thing happens can be interesting.
If you see a big spike (or drop) is these attempts, it can indicate cause
for concern.
I run Debian with systemd-journald instead of rsyslog. AFAIK journald does
not support filtering of its ingress log messages. Only the output can be
filtered with journalctl, but by then it's already too late in terms of log
spam on disk.
rsyslog is still available, and you don't have to keep everything in the journal
files (journald is not a modern logging system, in spite of it's date of
implementation :-) )
David Lang
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
