| View previous topic :: View next topic |
| Author |
Message |
haarp
Guru
Joined: 31 Oct 2007
Posts: 535
|
 Posted: Thu Jan 17, 2008 10:13 pm Post subject: sshd logfile |
 |
|
Hi,
I recently discovered an attempt to brute-force into my SSH daemon. Of course this attempt failed miserably, but I'd like to be informed about such things. I only discovered this attempt because I was looking for something else in /var/log/messages and saw it unintentionally. This was when I decided that SSHd needs its own log
I read the comments in the /etc/ssh/sshd_config file and looked at the manpage for it, but I did not find anything useful. Only interesting line I found was this:
| Code: | | #SyslogFacility AUTH |
So basically, as far as I can tell, SSHd sends its logs to the AUTH syslog facility which in turn logs it into /var/log/messages. Now since I'm using syslog-ng, I have no idea how to redirect AUTH into its own file. An alternative would be to tell sshd to log into a file, but my searches turned up regarding this.
Any ideas? If the solutions is to redirect AUTH, is it possible to create a new syslog facility, name it SSH and redirect that to keep non-ssh-related AUTH still in the syslog? |
|
| Back to top |
|
 |
gentoo_ram
Guru
Joined: 25 Oct 2007
Posts: 475
Location: San Diego, California USA
|
| Posted: Thu Jan 17, 2008 10:24 pm Post subject: |
|
|
Here's an example syslog-ng config file which separate different programs into different files.
| Code: |
# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.7 2007/08/02 04:52:18 mr_bones_ Exp $
#
# Syslog-ng default configuration file for Gentoo Linux
# contributed by Michael Sterrett
options {
chain_hostnames(off);
sync(0);
# The default action of syslog-ng 1.6.0 is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats(43200);
group("adm");
perm(0640);
};
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
filter mainf { not program("dovecot") and not program("postfix") and not program("CRON") and not program("cron") and not program("distccd") and not program("rsync") and not program("postgrey");};
filter mailf { program("postfix"); };
filter dovec { program("dovecot"); };
filter postg { program("postgrey"); };
destination messages { file("/var/log/messages"); };
destination maillog { file("/var/log/maillog"); };
destination pglog { file("/var/log/postgrey"); };
destination dclog { file("/var/log/dovecot"); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };
log { source(src); filter(mainf); destination(messages); };
log { source(src); filter(mailf); destination(maillog); };
log { source(src); filter(postg); destination(pglog); };
log { source(src); filter(dovec); destination(dclog); };
log { source(src); destination(console_all); };
|
|
|
| Back to top |
|
|
haarp
Guru
Joined: 31 Oct 2007
Posts: 535
|
| Posted: Thu Jan 17, 2008 10:51 pm Post subject: |
|
|
| Took me a while to figure out, but it works like a charm. Thanks! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
