Firstly - check whether your sshd is logging at all, especially with the
right amount of verbosity. Maybe you fiddled not only with rsyslog
configuration but with sshd as well.
I'd go for adding a rule sending all logs into a single file just for a
few minutes and see whether you have any logs from sshd.
If a catch-all rule matches messages from sshd - it's your rsyslog
config that's not working. If you still don't have any sshd logs, it's
the sshd thing.
Mariusz Kruk
Ekspert ds. Bezpieczeństwa IT
COMP S.A.
Pion Cyberbezpieczeństwa i Zarządzania Ryzykiem
e-mail: [email protected]
e-mail: [email protected]
tel: +48 608 623 299
On 11.10.2020 12:57, Marc Roos via rsyslog wrote:
This line you need to have somewhere.
authpriv.* /var/log/secure
What I always do to debug rsyslog, is create such a config
[@ rsyslog.d]# cat /etc/rsyslog.d/00-debug-rsyslog.conf.bak
*.=debug /tmp/rsyslog-test/lev_debug
*.=info /tmp/rsyslog-test/lev_info
*.=notice /tmp/rsyslog-test/lev_notice
*.=warn /tmp/rsyslog-test/lev_warn
*.=err /tmp/rsyslog-test/lev_err
*.=crit /tmp/rsyslog-test/lev_crit
*.=emerg /tmp/rsyslog-test/lev_emerg
auth.* /tmp/rsyslog-test/fac_auth
authpriv.* /tmp/rsyslog-test/fac_authpriv
cron.* /tmp/rsyslog-test/fac_cron
daemon.* /tmp/rsyslog-test/fac_daemon
ftp.* /tmp/rsyslog-test/fac_ftp
kern.* /tmp/rsyslog-test/fac_kern
lpr.* /tmp/rsyslog-test/fac_lpr
mail.* /tmp/rsyslog-test/fac_mail
news.* /tmp/rsyslog-test/fac_news
security.* /tmp/rsyslog-test/fac_security
syslog.* /tmp/rsyslog-test/fac_syslog
user.* /tmp/rsyslog-test/fac_user
uucp.* /tmp/rsyslog-test/fac_uucp
Then you exactly know where what ends up. Make sure your authpriv is not
dropped somewhere and load it early.
[@ rsyslog.d]# cat /etc/rsyslog.d/06-secure.conf
authpriv.* /var/log/secure
-----Original Message-----
From: Wasil W. Siargiejczyk via rsyslog
[mailto:[email protected]]
Sent: zondag 11 oktober 2020 10:51
To: [email protected]
Cc: Wasil W. Siargiejczyk
Subject: [rsyslog] sshd doesn't show failed login attempts in syslog on
CentOS 7
after some tinkering with rsyslog, sshd no longer logs information about
failed login attempts to syslog for some reason. I've returned both sshd
and rsyslog configs back to where it was (I've checked with command like
`rpm -V $(rpm -qf /etc/ssh/sshd_config)` ).
however there is still nothing in /var/log/secure, and journalctl -u
sshd shows only:
```
Oct 02 12:59:29 server04.company.name systemd[1]: Starting OpenSSH
server daemon...
Oct 02 12:59:29 server04.company.name systemd[1]: Started OpenSSH server
daemon.
```
(in case you're wondering: I made failed login attempt to check this.)
is this some queue issue? how could I fix it (I'm okay with just
clearing the queue altogether)?
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
