LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-24-2009, 05:51 PM   #1
alpha_lt
Member
 
Registered: Jul 2009
Location: Denmark
Distribution: Debian
Posts: 92

Rep: Reputation: 15
Question about logs


Hello all,

I have some newbie question. I have lots of logs in /var/log. I have noticed some logs, for example, ssh log are not updating. And have no idea why. I have files:

ssh.log
ssh.log.0
ssh.log.1.gz
ssh.log.2.gz
and so on

As I understand my current log is ssh.log and all other files are just archives. Last entry in ssh.log is two days old, but I login and logout to linux via SSH 10-15 times a day every day, but I don't see logs of it. Have you any idea why ?

Best regards,
alpha
 
Old 10-24-2009, 09:54 PM   #2
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,240

Rep: Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324
Depends on the settings. iirc, default is only to log certain types of failures.
Google sshd.conf settings, then check your /etc/sshd.conf.
 
Old 10-25-2009, 04:30 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
Quote:
Originally Posted by alpha_lt View Post
As I understand my current log is ssh.log and all other files are just archives.
The older files should have been created by a cronjob running 'logrotate'.


Quote:
Originally Posted by alpha_lt View Post
Last entry in ssh.log is two days old, but I login and logout to linux via SSH 10-15 times a day every day, but I don't see logs of it.
OpenSSH by default uses its "SyslogFacility" in /etc/ssh/sshd_config which makes it log to Syslog(-NG). By default /etc/syslog.conf will log messages marked "AUTHPRIV" to the log file in /var/log/ as per `grep authpriv /etc/syslog.conf`. So unless this is some Ubuntu or Syslog-NG default or a syslog modification there should be no /var/log/ssh.log in the first place. To see if /var/log/ssh.log is in use by Syslog run 'fuser -v /var/log/ssh.log' the PID it returns should match 'pgrep -lf syslog'. Tell us if it does not and restarting Syslog (after confirming the /var/log/ssh.log entry actually is in /etc/syslog.conf) does not work or restarting Syslog and checking other /var/log/ log files (message*, auth.log, secure).
 
Old 10-25-2009, 12:14 PM   #4
alpha_lt
Member
 
Registered: Jul 2009
Location: Denmark
Distribution: Debian
Posts: 92

Original Poster
Rep: Reputation: 15
Hi,

Thank you both for answers.
I'm experiencing the same problem not only with SSH logging, but also with proftpd FTP server. Problem is the same. Also I can see that for example ssh.log file last entry is unfinished. I mean something like this:

Code:
Oct 22 17:27:33 someserver sshd[230
What is even more weird is that file modification date is allways up to date and today I got created new ssh.log file by cron, but new ssh.log file is empty !

Quote:
Originally Posted by unSpawn View Post
OpenSSH by default uses its "SyslogFacility" in /etc/ssh/sshd_config which makes it log to Syslog(-NG). By default /etc/syslog.conf will log messages marked "AUTHPRIV" to the log file in /var/log/ as per `grep authpriv /etc/syslog.conf`.
I have set in sshd_config next lines for logging:

Code:
SyslogFacility LOCAL7
LogLevel VERBOSE
and in syslog.conf I have:

Code:
local7.*      -/var/log/ssh.log

Quote:
Originally Posted by unSpawn View Post
To see if /var/log/ssh.log is in use by Syslog run 'fuser -v /var/log/ssh.log' the PID it returns should match 'pgrep -lf syslog'.
USER PID ACCESS COMMAND
/var/log/ssh.log: syslog 2250 F.... syslogd

Now I'm going to restart syslog.
... it seems it won't help

Regards,
alpha
 
Old 10-26-2009, 12:35 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
If you undo your sshd_config changes and go back to defaults, does that log SSH related messages in /var/log/{secure,auth.log,messages}?
Also some Syslogd implementations don't like spaces where tabs are expected between the facility/priority and logfile name. Can you check if that's the case?
And if that doesn't give any clues, can you verify the integrity of your klogd and syslog binaries?
 
Old 10-27-2009, 02:47 AM   #6
alpha_lt
Member
 
Registered: Jul 2009
Location: Denmark
Distribution: Debian
Posts: 92

Original Poster
Rep: Reputation: 15
Hi,

I restarted my system and everything goes well again. It would be nice to find the cause of the problem anyway.

Regards,
alpha
 
Old 10-27-2009, 12:45 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
Quote:
Originally Posted by alpha_lt View Post
I restarted my system and everything goes well again. It would be nice to find the cause of the problem anyway.
Uh. If rebooting worked then I doubt you'll ever find the cause.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
question about RH security logs unix1adm Linux - Security 32 11-19-2009 03:37 AM
Apache Logs Question zoltrix Linux - Server 3 10-22-2008 11:57 PM
tcpdump logs question tgo Linux - Security 5 07-23-2006 06:07 AM
question about QMAIL logs zurron Linux - Software 15 09-06-2004 04:23 PM
parse iptables logs - Perl Question toovato Programming 4 10-30-2003 11:56 PM


All times are GMT -5. The time now is 01:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration