LinuxQuestions.org - Question about logs

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - Question about logs (https://www.linuxquestions.org/questions/linux-newbie-8/question-about-logs-764234/)

Question about logs

Hello all,

I have some newbie question. I have lots of logs in /var/log. I have noticed some logs, for example, ssh log are not updating. And have no idea why. I have files:

ssh.log
ssh.log.0
ssh.log.1.gz
ssh.log.2.gz
and so on

As I understand my current log is ssh.log and all other files are just archives. Last entry in ssh.log is two days old, but I login and logout to linux via SSH 10-15 times a day every day, but I don't see logs of it. Have you any idea why ?

Best regards,
alpha

Depends on the settings. iirc, default is only to log certain types of failures.
Google sshd.conf settings, then check your /etc/sshd.conf.

Quote:

Originally Posted by alpha_lt (Post 3731259)

As I understand my current log is ssh.log and all other files are just archives.

The older files should have been created by a cronjob running 'logrotate'.

Quote:

Originally Posted by alpha_lt (Post 3731259)

Last entry in ssh.log is two days old, but I login and logout to linux via SSH 10-15 times a day every day, but I don't see logs of it.

OpenSSH by default uses its "SyslogFacility" in /etc/ssh/sshd_config which makes it log to Syslog(-NG). By default /etc/syslog.conf will log messages marked "AUTHPRIV" to the log file in /var/log/ as per `grep authpriv /etc/syslog.conf`. So unless this is some Ubuntu or Syslog-NG default or a syslog modification there should be no /var/log/ssh.log in the first place. To see if /var/log/ssh.log is in use by Syslog run 'fuser -v /var/log/ssh.log' the PID it returns should match 'pgrep -lf syslog'. Tell us if it does not and restarting Syslog (after confirming the /var/log/ssh.log entry actually is in /etc/syslog.conf) does not work or restarting Syslog and checking other /var/log/ log files (message*, auth.log, secure).

Hi,

Thank you both for answers.
I'm experiencing the same problem not only with SSH logging, but also with proftpd FTP server. Problem is the same. Also I can see that for example ssh.log file last entry is unfinished. I mean something like this:

Code:

Oct 22 17:27:33 someserver sshd[230

What is even more weird is that file modification date is allways up to date and today I got created new ssh.log file by cron, but new ssh.log file is empty !

Quote:

Originally Posted by unSpawn (Post 3731622)

I have set in sshd_config next lines for logging:

Code:

SyslogFacility LOCAL7

LogLevel VERBOSE

and in syslog.conf I have:

Code:

local7.* -/var/log/ssh.log

Quote:

Originally Posted by unSpawn (Post 3731622)

To see if /var/log/ssh.log is in use by Syslog run 'fuser -v /var/log/ssh.log' the PID it returns should match 'pgrep -lf syslog'.

USER PID ACCESS COMMAND
/var/log/ssh.log: syslog 2250 F.... syslogd

Now I'm going to restart syslog.
... it seems it won't help :(

Regards,
alpha

If you undo your sshd_config changes and go back to defaults, does that log SSH related messages in /var/log/{secure,auth.log,messages}?
Also some Syslogd implementations don't like spaces where tabs are expected between the facility/priority and logfile name. Can you check if that's the case?
And if that doesn't give any clues, can you verify the integrity of your klogd and syslog binaries?

Hi,

I restarted my system and everything goes well again. It would be nice to find the cause of the problem anyway.

Regards,
alpha

Quote:

Originally Posted by alpha_lt (Post 3733773)

I restarted my system and everything goes well again. It would be nice to find the cause of the problem anyway.

Uh. If rebooting worked then I doubt you'll ever find the cause.