I was wondering, is there anyway I can change the appearance of sshd logs output in /var/log/sshderr.log and /var/log/sshd.log. Right now, its showing as such:
Code:
sshd[4857]: error: PAM: Authentication failure for it.sysadm from cijXXX.jp.mitsubishi-motors.com
sshd[4249]: Accepted keyboard-interactive/pam for root from 191.255.XXX.XXX port XXXXX ssh2
I am fine with the results above, but the customer had a weird request to ensure that IP addresses don't show up, instead they want "host names" to appear in the IP address column. Is this even possible?
My host file has a bunch of servers DNS added in it, so it makes sense if I SSH from box A to box B and the ssh logs print out host name instead of IP address. But I don't understand how to make this possible with the rest of the world! I already said no but they're not taking no for an answer
In the Suse box, most parameters in /etc/sshd/sshd_config are already commented out. I am using SUSE Linux Enterprise Server 10 (x86_64)
Appreciate if someone could help me out on this. Thank you
---------- Post updated at 01:13 PM ---------- Previous update was at 12:22 PM ----------
There's been an update for the request above.
So now would it be possible to identify the machine from where user ssh'd into the servers for both successful and failed logins?
e.g
Code:
sshd[5655]: Accepted keyboard-interactive/pam for root from 191.255.128.119 priti-pc port 55462 ssh2
it is not a very bright idea to me. you can try with syslog-ng but im not sure.even if you can able to the dns resolution so it requires extra times and may create the tail of the log.you must tell to him.
I agree with you, because already IP addresses are captured and I hate to mess up something I don't know how to fix later. But if I were to do it, how do i go by it? My sshd setting in syslog-ng.conf.in is as such:
i m not sure but maybe you can try this in your conf..
Code:
options {
# Check client hostnames for valid DNS characters
check_hostname (yes);
# Specify whether to trust hostname in the log message.
# If "yes", then it is left unchanged, if "no" the server replaces
# it with client's DNS lookup value.
keep_hostname (yes);
# Use DNS fully qualified domain names (FQDN)
# for the names of log file folders
use_fqdn (yes);
use_dns (yes);
# Cache DNS entries for up to 1000 hosts for 12 hours
dns_cache (yes);
dns_cache_size (1000);
dns_cache_expire (43200);
};
Which config file do i add that to...my nsswitch conf file?
---------- Post updated at 11:05 AM ---------- Previous update was at 10:39 AM ----------
hi again ygemici
I edited my options in /etc/syslog-ng/syslog-ng.conf.in and run SuSEconfig command after adding the options you provided but at best I am still getting IPs instead of DNS so I am guessing these IP addresses are not mapped to the DNS of this server
Code:
Apr 5 11:18:08 src@testlinux.site sshd[21867]: error: PAM: User not known to the underlying authentication module for illegal user test from testlinux.site
Apr 5 11:18:08 src@testlinux.site sshd[21867]: Failed keyboard-interactive/pam for invalid user test from 10.160.11.10 port 60394 ssh2
testlinux:~ # service syslog restart
Shutting down syslog services done
Starting syslog services done
testlinux:~ # cat /etc/resolv.conf
nameserver 203.115.1XX.XX
nameserver 203.115.1XX.XX
search site
Somehow I think this is impossible to achieve both outputs, I can either have hostname or IP showing. Can you show how me how you manage to get IP and hostname?
Code:
Apr 6 10:24:26 ciXXX sshd[10485]: error: PAM: Authentication failure for root from XXXXX.jp.mitsubishi-motors.com-----------when I ssh from another server to this server
Apr 6 10:26:06 ciXXX sshd[10485]: Accepted keyboard-interactive/pam for root from 10.17.XXX.1XX port 47898 ssh2--------------when I ssh from another server to this server
Apr 6 10:27:16 ciXXX sshd[10626]: Accepted keyboard-interactive/pam for root from 191.255.1XX.XXX port 63374 ssh2-------------------when I ssh from SecureCRT from my desktop
Last edited by hedkandi; 04-05-2012 at 11:34 PM..
Reason: typo
Friends,
I made the installation of the ssh in the it conspires,
I configured in the ssh_config the following
parameters..
SyslogFacility AUTH
LogLevel INFO
that should generate sshd.log in the /var/log.... more no this generating.
Somebody could help myself in... (0 Replies)
Hello, I'm a newbie to unix. I just about have the Suse 10.1 installed. During set up it automatically detected components to access the internet. But failed. I lost now.
Any ideas?
Thank You (2 Replies)
04-04-2012
