Topic: sshd, authpriv.* and /var/log/secure - empty log

[senti]

I couldn't find the answer on forums, so I've decided to post a topic.

Basically, /var/log/secure file is empty, even after numerous invalid attempts to login through sshd. Why are authpriv.* message not logged?

This seems to be the case on all SME installations I maintain, while I have no such problems with CentOS 4.x or 5.x.

Thanks.

[Stefano]

hi

first of all: if you think that something is not working properly, file a bug and report here the reference for other readers.

anyway, as SME is CentOS based, you can always re-create the same setup for syslogd creating the proper template fragments in the right folder (in this case /etc/e-smith/templates-custom/etc/syslog.conf IIRC)

if you don't know what a template is, I suggest you to read the dev manual..

Ciao
Stefano

[senti]

hi

first of all: if you think that something is not working properly, file a bug and report here the reference for other readers.

anyway, as SME is CentOS based, you can always re-create the same setup for syslogd creating the proper template fragments in the right folder (in this case /etc/e-smith/templates-custom/etc/syslog.conf IIRC)

if you don't know what a template is, I suggest you to read the dev manual..

Ciao
Stefano

I've created a template to send syslog message to remote server, but it has nothing to do with this issue.

CentOS syslog.conf entry has:

authpriv.* /var/log/secure

SME syslog.conf entry has:

authpriv.* /var/log/secure

This is not something I can solve with templates, entries are the same already. So issue is not in syslog (proftpd errors will get logged in /var/log/secure, for example).

Because I haven't seen this mentioned in bugzilla, nor as an issue on forums, I wanted to check if I am doing something wrong before calling it a 'bug'.

[Stefano]

don't waste your time to think if is it a bug or not.. file a bug in bugzilla

thank you
Stefano

[CharlieBrady]

Basically, /var/log/secure file is empty, even after numerous invalid attempts to login through sshd. Why are authpriv.* message not logged?

authpriv.* messages are being logged. sshd isn't logging there. It's logging in /var/log/sshd/current.

[senti]

authpriv.* messages are being logged. sshd isn't logging there. It's logging in /var/log/sshd/current.

Oh, I see. Thanks, no idea how I missed that directory (not used to SME just yet ).

How could I, then, make sshd log these events (from '/var/log/sshd/current') to syslog? I have checked template for sshd_config (as well as /etc/sshd_config), but doesn't seem like I can change that behaviour there - changing SyslogFacility only changes where existing messages, that I get to /var/log/messages, are sent.

Thanks.

[Stefano]

senti:

please explain your problem/need, not the solution

what do you want to achieve?

ciao
Stefano

[senti]

senti:

please explain your problem/need, not the solution

what do you want to achieve?

ciao
Stefano

I need contents of /var/log/sshd/current to be logged via syslog, so I can send syslog messages to another host (by using "*.* ip.of.syslog.server" in /etc/syslog.conf), over the network and analyze them on other host.