SEO

Hi,

i can't find the sshd log in /var/log/*
how can i create one instead of doing
'cat /var/log/message | grep sshd'
every time ?

flo enlightened us with:
> i can't find the sshd log in /var/log/*
> how can i create one instead of doing 'cat /var/log/message | grep
> sshd' every time ?

Log to another syslog channel (man sshd_config) then configure your
syslogger to output that channel to another file.

Sybren
--
The problem with the world is stupidity. Not saying there should be a
capital punishment for stupidity, but why don't we just take the
safety labels off of everything and let the problem solve itself?

So anyway, it was like, 18:49 CEST Mar 29 2005, you know? Oh, and, yeah,
flo was all like, "Dude,

> i can't find the sshd log in /var/log/* how can i create one instead
> of doing 'cat /var/log/message | grep sshd' every time ?

Add a filter with the predicate 'program("sshd.*")', /var/log/sshd as
a destination and a log rule combining the two to syslog-ng.conf.

hth.

--
Time flies like an arrow, fruit flies like a banana. Perth ---> *
20:34:51 up 156 days, 8:00, 11 users, load average: 1.08, 0.35, 0.11
Linux 2.6.9 x86_64 GNU/Linux Registered Linux user #261729

> i can't find the sshd log in /var/log/* how can i create one instead
> of doing 'cat /var/log/message | grep sshd' every time ?

emerge metalog

it is a replacement for syslog, it has nice features and works out of
the box (just make sure it has been added to the default runlevel)

------------------------------------------------------------
PassKool - A deterministic 'intelligible' password generator
http://passkool.sourceforge.net/

Johan Lindquist wrote:
> So anyway, it was like, 18:49 CEST Mar 29 2005, you know? Oh, and, yeah,
> flo was all like, "Dude,
>
>
>>i can't find the sshd log in /var/log/* how can i create one instead
>>of doing 'cat /var/log/message | grep sshd' every time ?
>
>
> Add a filter with the predicate 'program("sshd.*")', /var/log/sshd as
> a destination and a log rule combining the two to syslog-ng.conf.
>
> hth.
>

Thanks for the help,

here's my /etc/syslog-ng/syslog-ng.conf
<<
options {
long_hostnames(off);
sync(0);
stats(43200);
};

source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

destination messages { file("/var/log/messages"); };

+ destination sshd { file("/var/log/sshd"); };
+ filter sshd { match("sshd"); };


# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };

+ log { source(src); filter(sshd); destination(sshd); };

log { source(src); destination(messages); };
log { source(src); destination(console_all); };
>>

i've had lines with '+' and it works
but sshd log are still also in var/log/message...
is there a way to remove it from ?

and i read all syslog manual and i don't understand how to use
the <<
SyslogFacility
Gives the facility code that is used when logging messages
from sshd.
The possible values are: DAEMON, USER, AUTH, LOCAL0,
LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.
>> like sybren told me
!! how do you know that the default AUTH go to "unix-stream(/dev/log)"
(this is the default)
and where are going the others like LOCAL*, DAEMON, etc...
to use them in syslog-ng.conf ???

if someone can teach me...thanks in advance
(i google for it a lot without finding anything)

i've put
<<
SyslogFacility LOCAL0
>>
in sshd_config

and
<<
#filter sshd { match("sshd"); };
filter sshd { facility(LOCAL0); };
>>

but it print only the first message
in my case:
<<
Mar 29 22:11:51 krapo sshd[4741]: Accepted keyboard-interactive/pam for
me from 192.168.0.1 port 42132 ssh2
>> in sshd.lod
instead of
<<
Mar 29 22:11:51 krapo sshd[4741]: Accepted keyboard-interactive/pam for
flo from 192.168.0.1 port 42132 ssh2
Mar 29 22:17:18 krapo PAM-env[4744]: Unknown PAM_ITEM: <DISPLAY>
Mar 29 22:17:18 krapo sshd[4744]: PAM pam_putenv: delete non-existent
entry; DISPLAY
Mar 29 22:17:18 krapo PAM-env[4744]: Unknown PAM_ITEM: <XAUTHORITY>
Mar 29 22:17:18 krapo sshd[4744]: PAM pam_putenv: delete non-existent
entry; XAUTHORITY
Mar 29 22:17:18 krapo sshd(pam_unix)[4744]: session closed for user flo
>> in /var/log/message

??