Login or Register to Ask a Question and Join Our Community


UNIX for Advanced & Expert Users

SSHD config in Suse

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users SSHD config in Suse
# 8  
Old 04-06-2012
what is the entire conf (syslog-ng.conf ) ?
what is ur the version of suse?
what is ur the versi of syslog-ng?
# 9  
Old 04-06-2012
Hi there

syslog-ng-conf.in file
Code:
testlinux:/etc/syslog-ng # more syslog-ng.conf.in
#@SuSEconfig@
#@SuSEconfig@ This is a template file used by SuSEconfig
#@SuSEconfig@ to generate the final syslog-ng.conf.
#@SuSEconfig@
#@SuSEconfig@ SuSEconfig adds additional log sockets from
#@SuSEconfig@ /etc/sysconfig/syslog to the source bellow.
#@SuSEconfig@
#
# File format description can be found in syslog-ng.conf(5)
# and /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
#

#
# Global options.
#
options { check_hostname (yes); keep_hostname (yes); use_fqdn (yes); use_dns (yes); dns_cache (yes); dns_cache_size (1000); dns_cache_expire (4
3200); long_hostnames(on); sync(0); perm(0640); stats(3600); };

#
# 'src' is our main source definition. you can add
# more sources driver definitions to it, or define
# your own sources, i.e.:
#
#source my_src { .... };
#
source src {
        #
        # include internal syslog-ng messages
        # note: the internal() soure is required!
        #
        internal();

        #
        # the following line will be replaced by the
        # socket list generated by SuSEconfig using
        # variables from /etc/sysconfig/syslog:
        #
        @SuSEconfig_SOCKETS@

        #
        # uncomment to process log messages from network:
        #
        #udp(ip("0.0.0.0") port(514));
};

#
# Filter definitions
#
filter f_iptables   { facility(kern) and match("IN=") and match("OUT="); };

filter f_console    { level(warn) and facility(kern) and not filter(f_iptables)
                      or level(err) and not facility(authpriv); };

filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit   { level(crit)   and facility(news); };
filter f_newserr    { level(err)    and facility(news); };
filter f_news       { facility(news); };

filter f_mailinfo   { level(info)      and facility(mail); };
filter f_mailwarn   { level(warn)      and facility(mail); };
filter f_mailerr    { level(err, crit) and facility(mail); };
filter f_mail       { facility(mail); };

filter f_cron       { facility(cron); };

filter f_local      { facility(local0, local1, local2, local3,
                               local4, local5, local6, local7); };

filter f_acpid      { match('^\[acpid\]:'); };
filter f_netmgm     { match('^NetworkManager:'); };

filter f_messages   { not facility(news, mail) and not filter(f_iptables); };
filter f_warn       { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert      { level(alert); };

#
# Most warning and errors on tty10 and on the xconsole pipe:
#
destination console  { pipe("/dev/tty10"    group(tty) perm(0620)); };
log { source(src); filter(f_console); destination(console); };

destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); };
log { source(src); filter(f_console); destination(xconsole); };

# Enable this, if you want that root is informed immediately,
# e.g. of logins:
#
#destination root { usertty("root"); };
#log { source(src); filter(f_alert); destination(root); };

#
# News-messages in separate files:
#
destination newscrit   { file("/var/log/news/news.crit"
                              owner(news) group(news)); };
log { source(src); filter(f_newscrit); destination(newscrit); };

destination newserr    { file("/var/log/news/news.err"
                              owner(news) group(news)); };
log { source(src); filter(f_newserr); destination(newserr); };

destination newsnotice { file("/var/log/news/news.notice"
                              owner(news) group(news)); };
log { source(src); filter(f_newsnotice); destination(newsnotice); };

#
# and optionally also all in one file:
# (don't forget to provide logrotation config)
#
#destination news { file("/var/log/news.all"); };
#log { source(src); filter(f_news); destination(news); };

#
# Mail-messages in separate files:
#
destination mailinfo { file("/var/log/mail.info"); };
log { source(src); filter(f_mailinfo); destination(mailinfo); };

destination mailwarn { file("/var/log/mail.warn"); };
log { source(src); filter(f_mailwarn); destination(mailwarn); };

destination mailerr  { file("/var/log/mail.err" fsync(yes)); };
log { source(src); filter(f_mailerr);  destination(mailerr); };

#
# and also all in one file:
#
destination mail { file("/var/log/mail"); };
log { source(src); filter(f_mail); destination(mail); };


#
# acpid messages in one file:
#
destination acpid { file("/var/log/acpid"); };
log { source(src); filter(f_acpid); destination(acpid); flags(final); };

#
# NetworkManager messages in one file:
#
destination netmgm { file("/var/log/NetworkManager"); };
log { source(src); filter(f_netmgm); destination(netmgm); flags(final); };

#
# Cron-messages in one file:
# (don't forget to provide logrotation config)
#
#destination cron { file("/var/log/cron"); };
#log { source(src); filter(f_cron); destination(cron); };

#
# Some boot scripts use/require local[1-7]:
#
destination localmessages { file("/var/log/localmessages"); };
log { source(src); filter(f_local); destination(localmessages); };

#
# All messages except iptables and the facilities news and mail:
#
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };

#
# Firewall (iptables) messages in one file:
#
destination firewall { file("/var/log/firewall"); };
log { source(src); filter(f_iptables); destination(firewall); };

#
# Warnings (except iptables) in one file:
#
destination warn { file("/var/log/warn" fsync(yes)); };
log { source(src); filter(f_warn); destination(warn); };

#
# Enable this, if you want to keep all messages in one file:
# (don't forget to provide logrotation config)
#
#destination allmessages { file("/var/log/allmessages"); };
#log { source(src); destination(allmessages); };

# SSH Filters
filter f_sshderr    { match('^sshd\[[0-9]+\]: error:'); };
filter f_sshd       { match('^sshd\[[0-9]+\]:'); };

# SSH Logging
destination sshderr { file("/var/log/sshd/sshderr.log"); };
log { source(src); filter(f_sshderr); destination(sshderr); flags(final); };

destination sshd { file("/var/log/sshd/sshd.log"); };
log { source(src); filter(f_sshd); destination(sshd); flags(final); };

suse version

Code:
testlinux:/etc/syslog-ng # cat /etc/*release
SUSE Linux Enterprise Server 10 (x86_64)
VERSION = 10
PATCHLEVEL = 4
LSB_VERSION="core-2.0-noarch:core-3.0-noarch:core-2.0-x86_64:core-3.0-x86_64"
testlinux:/etc/syslog-ng #

syslog-ng version

Code:
testlinux:/etc/syslog-ng # /sbin/syslog-ng -V
syslog-ng 1.6.8

# 10  
Old 04-09-2012
Quote:
Originally Posted by hedkandi
Hi there

syslog-ng-conf.in file
Code:
testlinux:/etc/syslog-ng # more syslog-ng.conf.in
#@SuSEconfig@
#@SuSEconfig@ This is a template file used by SuSEconfig
#@SuSEconfig@ to generate the final syslog-ng.conf.
#@SuSEconfig@
#@SuSEconfig@ SuSEconfig adds additional log sockets from
#@SuSEconfig@ /etc/sysconfig/syslog to the source bellow.
#@SuSEconfig@
#
# File format description can be found in syslog-ng.conf(5)
# and /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
#

#
# Global options.
#
options { check_hostname (yes); keep_hostname (yes); use_fqdn (yes); use_dns (yes); dns_cache (yes); dns_cache_size (1000); dns_cache_expire (4
3200); long_hostnames(on); sync(0); perm(0640); stats(3600); };

#
# 'src' is our main source definition. you can add
# more sources driver definitions to it, or define
# your own sources, i.e.:
#
#source my_src { .... };
#
source src {
        #
        # include internal syslog-ng messages
        # note: the internal() soure is required!
        #
        internal();

        #
        # the following line will be replaced by the
        # socket list generated by SuSEconfig using
        # variables from /etc/sysconfig/syslog:
        #
        @SuSEconfig_SOCKETS@

        #
        # uncomment to process log messages from network:
        #
        #udp(ip("0.0.0.0") port(514));
};

#
# Filter definitions
#
filter f_iptables   { facility(kern) and match("IN=") and match("OUT="); };

filter f_console    { level(warn) and facility(kern) and not filter(f_iptables)
                      or level(err) and not facility(authpriv); };

filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit   { level(crit)   and facility(news); };
filter f_newserr    { level(err)    and facility(news); };
filter f_news       { facility(news); };

filter f_mailinfo   { level(info)      and facility(mail); };
filter f_mailwarn   { level(warn)      and facility(mail); };
filter f_mailerr    { level(err, crit) and facility(mail); };
filter f_mail       { facility(mail); };

filter f_cron       { facility(cron); };

filter f_local      { facility(local0, local1, local2, local3,
                               local4, local5, local6, local7); };

filter f_acpid      { match('^\[acpid\]:'); };
filter f_netmgm     { match('^NetworkManager:'); };

filter f_messages   { not facility(news, mail) and not filter(f_iptables); };
filter f_warn       { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert      { level(alert); };

#
# Most warning and errors on tty10 and on the xconsole pipe:
#
destination console  { pipe("/dev/tty10"    group(tty) perm(0620)); };
log { source(src); filter(f_console); destination(console); };

destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); };
log { source(src); filter(f_console); destination(xconsole); };

# Enable this, if you want that root is informed immediately,
# e.g. of logins:
#
#destination root { usertty("root"); };
#log { source(src); filter(f_alert); destination(root); };

#
# News-messages in separate files:
#
destination newscrit   { file("/var/log/news/news.crit"
                              owner(news) group(news)); };
log { source(src); filter(f_newscrit); destination(newscrit); };

destination newserr    { file("/var/log/news/news.err"
                              owner(news) group(news)); };
log { source(src); filter(f_newserr); destination(newserr); };

destination newsnotice { file("/var/log/news/news.notice"
                              owner(news) group(news)); };
log { source(src); filter(f_newsnotice); destination(newsnotice); };

#
# and optionally also all in one file:
# (don't forget to provide logrotation config)
#
#destination news { file("/var/log/news.all"); };
#log { source(src); filter(f_news); destination(news); };

#
# Mail-messages in separate files:
#
destination mailinfo { file("/var/log/mail.info"); };
log { source(src); filter(f_mailinfo); destination(mailinfo); };

destination mailwarn { file("/var/log/mail.warn"); };
log { source(src); filter(f_mailwarn); destination(mailwarn); };

destination mailerr  { file("/var/log/mail.err" fsync(yes)); };
log { source(src); filter(f_mailerr);  destination(mailerr); };

#
# and also all in one file:
#
destination mail { file("/var/log/mail"); };
log { source(src); filter(f_mail); destination(mail); };


#
# acpid messages in one file:
#
destination acpid { file("/var/log/acpid"); };
log { source(src); filter(f_acpid); destination(acpid); flags(final); };

#
# NetworkManager messages in one file:
#
destination netmgm { file("/var/log/NetworkManager"); };
log { source(src); filter(f_netmgm); destination(netmgm); flags(final); };

#
# Cron-messages in one file:
# (don't forget to provide logrotation config)
#
#destination cron { file("/var/log/cron"); };
#log { source(src); filter(f_cron); destination(cron); };

#
# Some boot scripts use/require local[1-7]:
#
destination localmessages { file("/var/log/localmessages"); };
log { source(src); filter(f_local); destination(localmessages); };

#
# All messages except iptables and the facilities news and mail:
#
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };

#
# Firewall (iptables) messages in one file:
#
destination firewall { file("/var/log/firewall"); };
log { source(src); filter(f_iptables); destination(firewall); };

#
# Warnings (except iptables) in one file:
#
destination warn { file("/var/log/warn" fsync(yes)); };
log { source(src); filter(f_warn); destination(warn); };

#
# Enable this, if you want to keep all messages in one file:
# (don't forget to provide logrotation config)
#
#destination allmessages { file("/var/log/allmessages"); };
#log { source(src); destination(allmessages); };

# SSH Filters
filter f_sshderr    { match('^sshd\[[0-9]+\]: error:'); };
filter f_sshd       { match('^sshd\[[0-9]+\]:'); };

# SSH Logging
destination sshderr { file("/var/log/sshd/sshderr.log"); };
log { source(src); filter(f_sshderr); destination(sshderr); flags(final); };

destination sshd { file("/var/log/sshd/sshd.log"); };
log { source(src); filter(f_sshd); destination(sshd); flags(final); };

suse version

Code:
testlinux:/etc/syslog-ng # cat /etc/*release
SUSE Linux Enterprise Server 10 (x86_64)
VERSION = 10
PATCHLEVEL = 4
LSB_VERSION="core-2.0-noarch:core-3.0-noarch:core-2.0-x86_64:core-3.0-x86_64"
testlinux:/etc/syslog-ng #

syslog-ng version

Code:
testlinux:/etc/syslog-ng # /sbin/syslog-ng -V
syslog-ng 1.6.8

i suppose syslog-ng with "use_dns" does not resolve all IPs to names in the logs.
i think, "use_dns(yes)" resolves only "$HOST_FROM" variable(that is from remote ssh client[if remote ssh cl send to that] ,
syslogd-ng receives it and resolv the IP source to NAME if it is possible,other remaining log generates by local sshd)
in the sshd error.log seems resolved to names, but that is done by sshd itself(useDNS yes).
maybe you can use a little script
Code:
#!/bin/bash
cp sshd.log sshdn.log
awk '/Accepted/{a[$(NF-3)]++}END{for(i in a)print i}' sshdn.log|\
while read -r IP ; do
IPn=$(dig +short -x $IP)
sed "/Accepted/s/$IP/$IPn/" sshdn.log >sshdnn.log && mv sshdnn.log sshdn.log
done
more sshdn.log

regards
ygemici
# 11  
Old 04-09-2012
MySQL Solved!
Smilie

thank you ygemici, for taking your time in helping me sort out this issue. I am so very grateful! BTW, the useDNS works fine with WTMP logs, I can get both the IP and the hostname (I think this has to do with something the network guy changed at his end, but I cant say what we're doing is in any way secure)

Your script worked like charm, heres my before and after results

BEFORE
Code:
testlinux:/var/log/sshd # more sshd.log
Apr  6 10:55:40 src@testlinux.site sshd[29089]: Received signal 15; terminating.
Apr  6 10:55:40 src@testlinux.site sshd[29674]: Server listening on 0.0.0.0 port 22.
Apr  6 10:57:41 src@testlinux.site sshd[29696]: Accepted keyboard-interactive/pam for root from 191.255.1XX.XXX port 63470 ssh2
Apr 10 10:14:36 src@testlinux.site sshd[16795]: Accepted keyboard-interactive/pam for root from 191.255.1XX.XXX port 51735 ssh2

AFTER
Code:
testlinux:/var/log/sshd # ./test 
Apr  6 10:55:40 src@testlinux.site sshd[29089]: Received signal 15; terminating.
Apr  6 10:55:40 src@testlinux.site sshd[29674]: Server listening on 0.0.0.0 port 22.
Apr  6 10:57:41 src@testlinux.site sshd[29696]: Accepted keyboard-interactive/pam for root from my-cXXXX.myhq.XXXX.com.my. po
rt 63470 ssh2
Apr 10 10:14:36 src@testlinux.site sshd[16795]: Accepted keyboard-interactive/pam for root from my-cXXXX.myhq.XXXX.com.my. po
rt 51735 ssh2
Login or Register to Ask a Question

Previous Thread | Next Thread

2 More Discussions You Might Find Interesting

1. AIX

It helps in the sshd on sshd.log

Friends, I made the installation of the ssh in the it conspires, I configured in the ssh_config the following parameters.. SyslogFacility AUTH LogLevel INFO that should generate sshd.log in the /var/log.... more no this generating. Somebody could help myself in... (0 Replies)
Discussion started by: sandba
0 Replies

2. UNIX for Dummies Questions & Answers

1st install Suse, network config set up

Hello, I'm a newbie to unix. I just about have the Suse 10.1 installed. During set up it automatically detected components to access the internet. But failed. I lost now. Any ideas? Thank You (2 Replies)
Discussion started by: Nick7269
2 Replies
Login or Register to Ask a Question