syslog-ng setup (for sshd and auth)
 

I recently went from SuSE 9.x to 10.0

Gone is syslog and syslog-ng is now here. I used to have a few very basic logs setup

Example ;

/etc/syslog.conf
#
# Auth Logging
#
auth.* -var/log/secure

I have No idea where or how to setup this basic thing in syslog-ng.

I'd also, like to have SSHD connections(and attempts) logged and successfull SSH logins Emailed to root (or another email address.

Sounds like two simple setup items, but I've googled till my head began to spin and no luck.

Any tips folks?!

Many thanks in advance!

Anyone? ....

Here's an example syslog-ng.conf that does what you want.
/tmp/mail.sh is the following shell script:
One thing to keep in mind is that, if your ssh port is open to the world, you're going to have a lot of failed ssh attempts, and hence more email than you bargained for. For alternatives to the script above, see this thread.

Yes, I understand the amount of email that would be generated if tracking the failed attempts. It was the "successfull" ssh logins I wanted the emails on.
From original postIn the log setup you offered;
is the change required simply swapping out "failed" and putting "success" in its place?



Thank you for the reply and help!

Oops. I read your post too fast. Just delete the word "not" to send email on successful connections (successful ssh connections contain the string "Accepted"). Afterward, you may wish to examine your logs to make some adjustments, such as possibly making provisions for you to be notified of successful sftp connections.

The f_failed, f_ssh, etc are simply identifiers and do not carry any semantics.

Hmmm it doesn't seem to be working.

I added;
(deleting 'not' as instructed.)

That was added (as root) to ;
/etc/syslog-ng/syslog-ng.conf.in

I then ran SuSEconfig (as root) which imported it into ;
/etc/syslog-ng/syslog-ng.conf

I then rebooted, su'ed up and back.. connected out and in via ssh and no logs :(

Niether;
/var/log/secure
or
/var/log/ssh.fail
exist at all....

Works fine on my end. Things you might try:

1. Take a look at the config file and test for grammatical errors (syslog-ng -s -f /etc/syslog-ng/syslog-ng.conf).
2. Check other log files for informative messages (have a look especially at where messages with a facility of 'syslog' go).

Good luck.

It worked for me too!
If it's still not working for you;

Firstly, I stopped syslog first.
Then I directly edited the .CONF file, not the .IN file.

Then restart it and see if it complains about syntax errors. Check as well, that your names match up. First time for me I realised I had "s_src" as above, where in my file it was meant to be "src".

Cheers,
J

I ran that syslog-ng command you posted. No feedback at all, it just dropped back to the command line.

Was there something I needed to edit in what you initialy posted? I simply cut/pasted the config info into;
/etc/syslog-ng/syslog-ng.conf.in

Then ran # SuSEconfig

hmmm when I ran the # SuSEconfig command, I double checked
/etc/syslog-ng/syslog-ng.conf

The commands had been copied over from the /etc/syslog-ng/syslog-ng.conf.in file.

I'm not sure what you mean with the s_src line. Forgive the newbie, but I'm still stuck :(

Please post your syslog-ng.conf

#
# /etc/syslog-ng/syslog-ng.conf
#
# Automatically generated by SuSEconfig on Tue Feb 14 21:30:57 EST 2006.
#
# PLEASE DO NOT EDIT THIS FILE!
#
# you can modify /etc/syslog-ng/syslog-ng.conf.in instead
#
#
#
# File format description can be found in syslog-ng.conf(5)
# and /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
#

#
# Global options.
#
options { long_hostnames(off); sync(0); perm(0640); stats(3600); };

#
# 'src' is our main source definition. you can add
# more sources driver definitions to it, or define
# your own sources, i.e.:
#
#source my_src { .... };
#
source src {
#
# include internal syslog-ng messages
# note: the internal() soure is required!
#
internal();

#
# the following line will be replaced by the
# socket list generated by SuSEconfig using
# variables from /etc/sysconfig/syslog:
#
unix-dgram("/dev/log");

#
# uncomment to process log messages from network:
#
#udp(ip("0.0.0.0") port(514));
};


#
# Filter definitions
#
filter f_iptables { facility(kern) and match("IN=") and match("OUT="); };

filter f_console { level(warn) and facility(kern) and not filter(f_iptables)
or level(err) and not facility(authpriv); };

filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit { level(crit) and facility(news); };
filter f_newserr { level(err) and facility(news); };
filter f_news { facility(news); };

filter f_mailinfo { level(info) and facility(mail); };
filter f_mailwarn { level(warn) and facility(mail); };
filter f_mailerr { level(err, crit) and facility(mail); };
filter f_mail { facility(mail); };

filter f_cron { facility(cron); };

filter f_local { facility(local0, local1, local2, local3,
local4, local5, local6, local7); };

filter f_messages { not facility(news, mail) and not filter(f_iptables); };
filter f_warn { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert { level(alert); };


#
# Most warning and errors on tty10 and on the xconsole pipe:
#
destination console { file("/dev/tty10" group(tty) perm(0620)); };
log { source(src); filter(f_console); destination(console); };

destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); };
log { source(src); filter(f_console); destination(xconsole); };

# Enable this, if you want that root is informed immediately,
# e.g. of logins:
#
#destination root { usertty("root"); };
#log { source(src); filter(f_alert); destination(root); };


#
# News-messages in separate files:
#
destination newscrit { file("/var/log/news/news.crit"); };
log { source(src); filter(f_newscrit); destination(newscrit); };

destination newserr { file("/var/log/news/news.err"); };
log { source(src); filter(f_newserr); destination(newserr); };

destination newsnotice { file("/var/log/news/news.notice"); };
log { source(src); filter(f_newsnotice); destination(newserr); };

#
# and optionally also all in one file:
#
#destination news { file("/var/log/news.all"); };
#log { source(src); filter(f_news); destination(news); };


#
# Mail-messages in separate files:
#
destination mailinfo { file("/var/log/mail.info"); };
log { source(src); filter(f_mailinfo); destination(mailinfo); };

destination mailwarn { file("/var/log/mail.warn"); };
log { source(src); filter(f_mailwarn); destination(mailwarn); };

destination mailerr { file("/var/log/mail.err" fsync(yes)); };
log { source(src); filter(f_mailerr); destination(mailerr); };

#
# and also all in one file:
#
destination mail { file("/var/log/mail"); };
log { source(src); filter(f_mail); destination(mail); };


#
# Cron-messages in one file:
#
#destination cron { file("/var/log/cron"); };
#log { source(src); filter(f_cron); destination(cron); };


#
# Some boot scripts use/require local[1-7]:
#
destination localmessages { file("/var/log/localmessages"); };
log { source(src); filter(f_local); destination(localmessages); };


#
# All messages except iptables and the facilities news and mail:
#
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };


#
# Firewall (iptables) messages in one file:
#
destination firewall { file("/var/log/firewall"); };
log { source(src); filter(f_iptables); destination(firewall); };


#
# Warnings (except iptables) in one file:
#
destination warn { file("/var/log/warn" fsync(yes)); };
log { source(src); filter(f_warn); destination(warn); };

#
# Enable this, if you want to keep all messages in one file:
#
#destination allmessages { file("/var/log/allmessages"); };
#log { source(src); destination(allmessages); };

# ADDED per forum post...
options {
# print stats line every 12 hours (default: 10 min)
stats(43200); };

# source
source s_src {
unix-stream("/dev/log");
internal();
file("/proc/kmsg" log_prefix("kernel: ")); };

# auth,authpriv.* -/var/log/secure
filter f_secure { facility(auth, authpriv); };
destination d_secure { file("/var/log/secure" fsync(no)); };
log { source(s_src); filter(f_secure); destination(d_secure); };

# log sshd successes and failures
filter f_ssh { program(^sshd$); };
destination d_ssh { file("/var/log/ssh.fail" fsync(no)); };
log { source(s_src); filter(f_ssh); destination(d_ssh); };

# send email for every failed ssh attempt
filter f_failed { program(^sshd$) and match("Accepted"); };
destination d_failed { program("/tmp/mail.sh"); };
log { source(s_src); filter(f_failed); destination(d_failed); };

---end
filter f_failed { program(^sshd$) and not match("Accepted"); };

Was how post initialy went, but I deleted 'not' as stated in followup.

I'm not sure whether this would cuase the problem, but it is erroneous either way.

You have two "source" definitions.

If you look at the top of your file, you will see the "source src" definition.
Then after your "ADDED PER FORUM POST..." comment, you have another source definition "source s_src".

I would recommend removing this definition (the s_src), and leaving the one already defined at the top.

Then you will need to update your lines (after the "added per foru..." comment), to reflect the proper one.

So...

# auth,authpriv.* -/var/log/secure
filter f_secure { facility(auth, authpriv); };
destination d_secure { file("/var/log/secure" fsync(no)); };
log { source(src); filter(f_secure); destination(d_secure); };

^^^ Changed to "src"

# log sshd successes and failures
filter f_ssh { program(^sshd$); };
destination d_ssh { file("/var/log/ssh.fail" fsync(no)); };
log { source(src); filter(f_ssh); destination(d_ssh); };

^^^ Change

# send email for every failed ssh attempt
filter f_failed { program(^sshd$) and match("Accepted"); };
destination d_failed { program("/tmp/mail.sh"); };
log { source(src); filter(f_failed); destination(d_failed); };

^^^ Change

Try that and see how it goes.

Also you might want to read up on the three main derectives. You've been using them.

Filter. Destination. Log.

They're pretty easy to use, but it's good to understand. Often we just chuck things in, wanting it to work 'Now!'. Instead we waste more time.

Cheers
J