syslog-ng setup (for sshd and auth)
I recently went from SuSE 9.x to 10.0
Gone is syslog and syslog-ng is now here. I used to have a few very basic logs setup Example ; /etc/syslog.conf # # Auth Logging # auth.* -var/log/secure I have No idea where or how to setup this basic thing in syslog-ng. I'd also, like to have SSHD connections(and attempts) logged and successfull SSH logins Emailed to root (or another email address. Sounds like two simple setup items, but I've googled till my head began to spin and no luck. Any tips folks?! Many thanks in advance! |
Anyone? ....
|
Here's an example syslog-ng.conf that does what you want.
Quote:
Code:
#!/bin/bash |
Quote:
From original post Quote:
Code:
# send email for every failed ssh attempt Thank you for the reply and help! |
Oops. I read your post too fast. Just delete the word "not" to send email on successful connections (successful ssh connections contain the string "Accepted"). Afterward, you may wish to examine your logs to make some adjustments, such as possibly making provisions for you to be notified of successful sftp connections.
The f_failed, f_ssh, etc are simply identifiers and do not carry any semantics. |
Hmmm it doesn't seem to be working.
I added; Code:
# send email for every failed ssh attempt That was added (as root) to ; /etc/syslog-ng/syslog-ng.conf.in I then ran SuSEconfig (as root) which imported it into ; /etc/syslog-ng/syslog-ng.conf I then rebooted, su'ed up and back.. connected out and in via ssh and no logs :( Niether; /var/log/secure or /var/log/ssh.fail exist at all.... |
Works fine on my end. Things you might try:
1. Take a look at the config file and test for grammatical errors (syslog-ng -s -f /etc/syslog-ng/syslog-ng.conf). 2. Check other log files for informative messages (have a look especially at where messages with a facility of 'syslog' go). Good luck. |
It worked for me too!
If it's still not working for you; Firstly, I stopped syslog first. Then I directly edited the .CONF file, not the .IN file. Then restart it and see if it complains about syntax errors. Check as well, that your names match up. First time for me I realised I had "s_src" as above, where in my file it was meant to be "src". Cheers, J |
Quote:
Was there something I needed to edit in what you initialy posted? I simply cut/pasted the config info into; /etc/syslog-ng/syslog-ng.conf.in Then ran # SuSEconfig |
Quote:
/etc/syslog-ng/syslog-ng.conf The commands had been copied over from the /etc/syslog-ng/syslog-ng.conf.in file. I'm not sure what you mean with the s_src line. Forgive the newbie, but I'm still stuck :( |
Please post your syslog-ng.conf
|
Quote:
# /etc/syslog-ng/syslog-ng.conf # # Automatically generated by SuSEconfig on Tue Feb 14 21:30:57 EST 2006. # # PLEASE DO NOT EDIT THIS FILE! # # you can modify /etc/syslog-ng/syslog-ng.conf.in instead # # # # File format description can be found in syslog-ng.conf(5) # and /usr/share/doc/packages/syslog-ng/syslog-ng.txt. # # # Global options. # options { long_hostnames(off); sync(0); perm(0640); stats(3600); }; # # 'src' is our main source definition. you can add # more sources driver definitions to it, or define # your own sources, i.e.: # #source my_src { .... }; # source src { # # include internal syslog-ng messages # note: the internal() soure is required! # internal(); # # the following line will be replaced by the # socket list generated by SuSEconfig using # variables from /etc/sysconfig/syslog: # unix-dgram("/dev/log"); # # uncomment to process log messages from network: # #udp(ip("0.0.0.0") port(514)); }; # # Filter definitions # filter f_iptables { facility(kern) and match("IN=") and match("OUT="); }; filter f_console { level(warn) and facility(kern) and not filter(f_iptables) or level(err) and not facility(authpriv); }; filter f_newsnotice { level(notice) and facility(news); }; filter f_newscrit { level(crit) and facility(news); }; filter f_newserr { level(err) and facility(news); }; filter f_news { facility(news); }; filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; filter f_cron { facility(cron); }; filter f_local { facility(local0, local1, local2, local3, local4, local5, local6, local7); }; filter f_messages { not facility(news, mail) and not filter(f_iptables); }; filter f_warn { level(warn, err, crit) and not filter(f_iptables); }; filter f_alert { level(alert); }; # # Most warning and errors on tty10 and on the xconsole pipe: # destination console { file("/dev/tty10" group(tty) perm(0620)); }; log { source(src); filter(f_console); destination(console); }; destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); }; log { source(src); filter(f_console); destination(xconsole); }; # Enable this, if you want that root is informed immediately, # e.g. of logins: # #destination root { usertty("root"); }; #log { source(src); filter(f_alert); destination(root); }; # # News-messages in separate files: # destination newscrit { file("/var/log/news/news.crit"); }; log { source(src); filter(f_newscrit); destination(newscrit); }; destination newserr { file("/var/log/news/news.err"); }; log { source(src); filter(f_newserr); destination(newserr); }; destination newsnotice { file("/var/log/news/news.notice"); }; log { source(src); filter(f_newsnotice); destination(newserr); }; # # and optionally also all in one file: # #destination news { file("/var/log/news.all"); }; #log { source(src); filter(f_news); destination(news); }; # # Mail-messages in separate files: # destination mailinfo { file("/var/log/mail.info"); }; log { source(src); filter(f_mailinfo); destination(mailinfo); }; destination mailwarn { file("/var/log/mail.warn"); }; log { source(src); filter(f_mailwarn); destination(mailwarn); }; destination mailerr { file("/var/log/mail.err" fsync(yes)); }; log { source(src); filter(f_mailerr); destination(mailerr); }; # # and also all in one file: # destination mail { file("/var/log/mail"); }; log { source(src); filter(f_mail); destination(mail); }; # # Cron-messages in one file: # #destination cron { file("/var/log/cron"); }; #log { source(src); filter(f_cron); destination(cron); }; # # Some boot scripts use/require local[1-7]: # destination localmessages { file("/var/log/localmessages"); }; log { source(src); filter(f_local); destination(localmessages); }; # # All messages except iptables and the facilities news and mail: # destination messages { file("/var/log/messages"); }; log { source(src); filter(f_messages); destination(messages); }; # # Firewall (iptables) messages in one file: # destination firewall { file("/var/log/firewall"); }; log { source(src); filter(f_iptables); destination(firewall); }; # # Warnings (except iptables) in one file: # destination warn { file("/var/log/warn" fsync(yes)); }; log { source(src); filter(f_warn); destination(warn); }; # # Enable this, if you want to keep all messages in one file: # #destination allmessages { file("/var/log/allmessages"); }; #log { source(src); destination(allmessages); }; # ADDED per forum post... options { # print stats line every 12 hours (default: 10 min) stats(43200); }; # source source s_src { unix-stream("/dev/log"); internal(); file("/proc/kmsg" log_prefix("kernel: ")); }; # auth,authpriv.* -/var/log/secure filter f_secure { facility(auth, authpriv); }; destination d_secure { file("/var/log/secure" fsync(no)); }; log { source(s_src); filter(f_secure); destination(d_secure); }; # log sshd successes and failures filter f_ssh { program(^sshd$); }; destination d_ssh { file("/var/log/ssh.fail" fsync(no)); }; log { source(s_src); filter(f_ssh); destination(d_ssh); }; # send email for every failed ssh attempt filter f_failed { program(^sshd$) and match("Accepted"); }; destination d_failed { program("/tmp/mail.sh"); }; log { source(s_src); filter(f_failed); destination(d_failed); }; ---end filter f_failed { program(^sshd$) and not match("Accepted"); }; Was how post initialy went, but I deleted 'not' as stated in followup. |
I'm not sure whether this would cuase the problem, but it is erroneous either way.
You have two "source" definitions. If you look at the top of your file, you will see the "source src" definition. Then after your "ADDED PER FORUM POST..." comment, you have another source definition "source s_src". I would recommend removing this definition (the s_src), and leaving the one already defined at the top. Then you will need to update your lines (after the "added per foru..." comment), to reflect the proper one. So... # auth,authpriv.* -/var/log/secure filter f_secure { facility(auth, authpriv); }; destination d_secure { file("/var/log/secure" fsync(no)); }; log { source(src); filter(f_secure); destination(d_secure); }; ^^^ Changed to "src" # log sshd successes and failures filter f_ssh { program(^sshd$); }; destination d_ssh { file("/var/log/ssh.fail" fsync(no)); }; log { source(src); filter(f_ssh); destination(d_ssh); }; ^^^ Change # send email for every failed ssh attempt filter f_failed { program(^sshd$) and match("Accepted"); }; destination d_failed { program("/tmp/mail.sh"); }; log { source(src); filter(f_failed); destination(d_failed); }; ^^^ Change Try that and see how it goes. Also you might want to read up on the three main derectives. You've been using them. Filter. Destination. Log. They're pretty easy to use, but it's good to understand. Often we just chuck things in, wanting it to work 'Now!'. Instead we waste more time. Cheers J |
All times are GMT -5. The time now is 10:02 AM. |