0

I've installed ssh and syslog-ng through cygwin (V3.2) on a Windows Server 2012 and attempting to get log output out of sshd. I'm using the default /etc/syslog-ng/syslog-ng.conf file...

@version: 3.2
@include "scl.conf"

source s_local {
    system();
    internal();
};

source s_network {
    udp();
};

destination d_local {
    file("/var/log/messages");
};

log {
    source(s_local);

    # uncomment this line to open port 514 to receive messages
    #source(s_network);
    destination(d_local);
};

My /etc/sshd_config file contains only the following uncommented lines...

 Port 22
 SyslogFacility LOCAL5
 LogLevel VERBOSE
 StrictModes no
 AuthorizedKeysFile /etc/authorized_keys
 Subsystem sftp /usr/sbin/sftp-server -f LOCAL5 -l VERBOSE

The startup/shutdown of sshd is being successfully logged to /var/log/messages:

Jun 23 12:37:31 ga16irwebdev01 sshd: PID 4552: Server listening on :: port 22.
Jun 23 12:37:31 ga16irwebdev01 sshd: PID 4552: Server listening on 0.0.0.0 port 22.
Jun 23 12:37:32 ga16irwebdev01 sshd: PID 6648: `sshd' service started

However, I get nothing in the log when I attempt to "ssh" to this box from a remote box. The remote ssh request is failing due to sshd not accepting my dsa key, and I'm trying to debug that issue, but cannot get any info in the log to do so.

Could anyone suggest why sshd would not be logging (failed) connection requests?

More info... My /var/log directory:

$ ls -l
total 756
-rw-r--r-- 1 GA16IRWEBDEV01+cyg_server Administrators      0 Jun 22 14:56 lastlog
-rw------- 1 SYSTEM                    SYSTEM          15714 Jun 23 15:58 messages
-rw-r--r-- 1 MDowd.adm                 Administrators  41836 Jun 23 10:40 setup.log
-rw-r--r-- 1 MDowd.adm                 Administrators 712122 Jun 23 10:40 setup.log.full
-rwxrwxrwx 1 GA16IRWEBDEV01+cyg_server Administrators      0 Jun 22 15:00 sshd.log
-rw----r-- 1 SYSTEM                    SYSTEM              0 Jun 23 10:47 syslog-ng.log

My /dev/log:

$ ls -l | grep log
srw----rw-  1 SYSTEM                  SYSTEM                     0 Jun 23 15:58 log
Tony
  • 1
  • 1

2 Answers2

0

on the remote box, try running ssh with the -vvv option to get verbose output from the client. That might help to resolve the issue.

Robert Fekete
  • 542
  • 1
  • 3
  • 6
  • Done did. Problem is (verbose) output from the client only tells you what's happening on the client side... I can verify that it successfully connected to the target box, and that it passed it's keys to it... but can only see that they were rejected by the target box. That's why I need to get logging up and running on sshd, on the target box, so I can find out why it's rejecting them. ...but thanks for the idea!! – Tony Jun 24 '15 at 12:30
0

Figured it out. Found I could verify syslog-ng working with a simple 

logger 'testing syslog-ng'

syslog-ng successfully logged the message to /var/log/messages. This told me that the problem was nothing was coming from sshd.

Went "back to the beginning" and pinged the host name of the target box from my source box. Found out that the IP address of the target box, that the requester gave me, was incorrect and pointing to another box in our network. Soon as I corrected that and was ssh'ing to the correct box, the connection request is showing up in /var/log/messages now. Would say "what a wasted day", but being a mainframe dinosaur, I learned a lot about syslog and sshd! Thanks!

Tony
  • 1
  • 1