0

I have sshd log entries from the past seemingly randomly mixed in (in time) with the presently occurring log entries.

No remote hosts log to this server, rsyslog serves only this box. External access to rsyslog listener is blocked at firewall. Sshd version: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2. Sshd was logging at daemon:info, but I've since raised to daemon:verbose. TcpKeepAlive is yes on server. The entries seem to appear as valid client disconnect messages. The client IP is known to me, and he is permitted to ssh by firewall rules. Client version: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2. The client's /etc/ssh/ssh_config specifies ServerAliveInterval 60. The client is creating port redirects on the server. Then a process on server periodically pipes data to the client port using netcat.

The erroneous datetime stamp, as well as seemingly old log entries being mixed in with current log entries are the concerns. Could this a symptom of old broken sessions leftover from unclean exit?

Any suggestions are welcome, thanks.

axman-5389
  • 1
  • 1
  • 2
    Is your syslog setup to log data from remote servers? Are you sure your time is set properly everywhere? – Zoredache Nov 19 '14 at 20:10
  • @zoredache - No, rsyslog local services only. Using ntpd on server & clients. Perhaps related to [link] (http://serverfault.com/questions/538108/apparmor-denies-ntpd-access-to-its-own-logs) as I see the same error mentioned. Investigating. – axman-5389 Nov 20 '14 at 16:50

1 Answers1

0

This is very likely the same thing as this question/answer: Weird syslog order

TL;DR: Rsyslog bug with RepeatedMsgReduction On, in recent versions.

Community
  • 1
Craig Miskell
  • 4,086
  • 1
  • 15
  • 16