Mailing List Archive

This line you need to have somewhere.

authpriv.* /var/log/secure

What I always do to debug rsyslog, is create such a config

[@ rsyslog.d]# cat /etc/rsyslog.d/00-debug-rsyslog.conf.bak
*.=debug /tmp/rsyslog-test/lev_debug
*.=info /tmp/rsyslog-test/lev_info
*.=notice /tmp/rsyslog-test/lev_notice
*.=warn /tmp/rsyslog-test/lev_warn
*.=err /tmp/rsyslog-test/lev_err
*.=crit /tmp/rsyslog-test/lev_crit
*.=emerg /tmp/rsyslog-test/lev_emerg

auth.* /tmp/rsyslog-test/fac_auth
authpriv.* /tmp/rsyslog-test/fac_authpriv
cron.* /tmp/rsyslog-test/fac_cron
daemon.* /tmp/rsyslog-test/fac_daemon
ftp.* /tmp/rsyslog-test/fac_ftp
kern.* /tmp/rsyslog-test/fac_kern
lpr.* /tmp/rsyslog-test/fac_lpr
mail.* /tmp/rsyslog-test/fac_mail
news.* /tmp/rsyslog-test/fac_news
security.* /tmp/rsyslog-test/fac_security
syslog.* /tmp/rsyslog-test/fac_syslog
user.* /tmp/rsyslog-test/fac_user
uucp.* /tmp/rsyslog-test/fac_uucp

Then you exactly know where what ends up. Make sure your authpriv is not
dropped somewhere and load it early.

[@ rsyslog.d]# cat /etc/rsyslog.d/06-secure.conf
authpriv.* /var/log/secure



-----Original Message-----
From: Wasil W. Siargiejczyk via rsyslog
[mailto:rsyslog@lists.adiscon.com]
Sent: zondag 11 oktober 2020 10:51
To: rsyslog@lists.adiscon.com
Cc: Wasil W. Siargiejczyk
Subject: [rsyslog] sshd doesn't show failed login attempts in syslog on
CentOS 7

after some tinkering with rsyslog, sshd no longer logs information about
failed login attempts to syslog for some reason. I've returned both sshd
and rsyslog configs back to where it was (I've checked with command like
`rpm -V $(rpm -qf /etc/ssh/sshd_config)` ).

however there is still nothing in /var/log/secure, and journalctl -u
sshd shows only:

```

Oct 02 12:59:29 server04.company.name systemd[1]: Starting OpenSSH
server daemon...
Oct 02 12:59:29 server04.company.name systemd[1]: Started OpenSSH server
daemon.

```

(in case you're wondering: I made failed login attempt to check this.)

is this some queue issue? how could I fix it (I'm okay with just
clearing the queue altogether)?

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Firstly - check whether your sshd is logging at all, especially with the
right amount of verbosity. Maybe you fiddled not only with rsyslog
configuration but with sshd as well.

I'd go for adding a rule sending all logs into a single file just for a
few minutes and see whether you have any logs from sshd.

If a catch-all rule matches messages from sshd - it's your rsyslog
config that's not working. If you still don't have any sshd logs, it's
the sshd thing.

Mariusz Kruk
Ekspert ds. Bezpiecze?stwa IT
COMP S.A.
Pion Cyberbezpiecze?stwa i Zarz?dzania Ryzykiem
e-mail: mariusz.kruk@comp.com.pl
e-mail: mariusz.kruk@safecomp.com
tel: +48 608 623 299

On 11.10.2020 12:57, Marc Roos via rsyslog wrote:
>
> This line you need to have somewhere.
>
> authpriv.* /var/log/secure
>
> What I always do to debug rsyslog, is create such a config
>
> [@ rsyslog.d]# cat /etc/rsyslog.d/00-debug-rsyslog.conf.bak
> *.=debug /tmp/rsyslog-test/lev_debug
> *.=info /tmp/rsyslog-test/lev_info
> *.=notice /tmp/rsyslog-test/lev_notice
> *.=warn /tmp/rsyslog-test/lev_warn
> *.=err /tmp/rsyslog-test/lev_err
> *.=crit /tmp/rsyslog-test/lev_crit
> *.=emerg /tmp/rsyslog-test/lev_emerg
>
> auth.* /tmp/rsyslog-test/fac_auth
> authpriv.* /tmp/rsyslog-test/fac_authpriv
> cron.* /tmp/rsyslog-test/fac_cron
> daemon.* /tmp/rsyslog-test/fac_daemon
> ftp.* /tmp/rsyslog-test/fac_ftp
> kern.* /tmp/rsyslog-test/fac_kern
> lpr.* /tmp/rsyslog-test/fac_lpr
> mail.* /tmp/rsyslog-test/fac_mail
> news.* /tmp/rsyslog-test/fac_news
> security.* /tmp/rsyslog-test/fac_security
> syslog.* /tmp/rsyslog-test/fac_syslog
> user.* /tmp/rsyslog-test/fac_user
> uucp.* /tmp/rsyslog-test/fac_uucp
>
> Then you exactly know where what ends up. Make sure your authpriv is not
> dropped somewhere and load it early.
>
> [@ rsyslog.d]# cat /etc/rsyslog.d/06-secure.conf
> authpriv.* /var/log/secure
>
>
>
> -----Original Message-----
> From: Wasil W. Siargiejczyk via rsyslog
> [mailto:rsyslog@lists.adiscon.com]
> Sent: zondag 11 oktober 2020 10:51
> To: rsyslog@lists.adiscon.com
> Cc: Wasil W. Siargiejczyk
> Subject: [rsyslog] sshd doesn't show failed login attempts in syslog on
> CentOS 7
>
> after some tinkering with rsyslog, sshd no longer logs information about
> failed login attempts to syslog for some reason. I've returned both sshd
> and rsyslog configs back to where it was (I've checked with command like
> `rpm -V $(rpm -qf /etc/ssh/sshd_config)` ).
>
> however there is still nothing in /var/log/secure, and journalctl -u
> sshd shows only:
>
> ```
>
> Oct 02 12:59:29 server04.company.name systemd[1]: Starting OpenSSH
> server daemon...
> Oct 02 12:59:29 server04.company.name systemd[1]: Started OpenSSH server
> daemon.
>
> ```
>
> (in case you're wondering: I made failed login attempt to check this.)
>
> is this some queue issue? how could I fix it (I'm okay with just
> clearing the queue altogether)?
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
> THAT.
>
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

that's the problem, it doesn't appear anywhere.

```

$ cat /tmp/rsyslog-test/fac_authpriv
Oct 19 09:50:33 server04.company.name polkitd[18715]: Unregistered
Authentication Agent for unix-process:8758:3414157689 (system bus name
:1.3033641, object path /org/freedesktop/PolicyKit1/AuthenticationAgent,
locale en_US.UTF-8) (disconnected from bus)

```


as for that line, I have it:

```

$ cat /etc/rsyslog.conf | grep authpriv
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure

```


11.10.2020 15:57, Marc Roos ?????:
>
> This line you need to have somewhere.
>
> authpriv.* /var/log/secure
>
> What I always do to debug rsyslog, is create such a config
>
> [@ rsyslog.d]# cat /etc/rsyslog.d/00-debug-rsyslog.conf.bak
> *.=debug /tmp/rsyslog-test/lev_debug
> *.=info /tmp/rsyslog-test/lev_info
> *.=notice /tmp/rsyslog-test/lev_notice
> *.=warn /tmp/rsyslog-test/lev_warn
> *.=err /tmp/rsyslog-test/lev_err
> *.=crit /tmp/rsyslog-test/lev_crit
> *.=emerg /tmp/rsyslog-test/lev_emerg
>
> auth.* /tmp/rsyslog-test/fac_auth
> authpriv.* /tmp/rsyslog-test/fac_authpriv
> cron.* /tmp/rsyslog-test/fac_cron
> daemon.* /tmp/rsyslog-test/fac_daemon
> ftp.* /tmp/rsyslog-test/fac_ftp
> kern.* /tmp/rsyslog-test/fac_kern
> lpr.* /tmp/rsyslog-test/fac_lpr
> mail.* /tmp/rsyslog-test/fac_mail
> news.* /tmp/rsyslog-test/fac_news
> security.* /tmp/rsyslog-test/fac_security
> syslog.* /tmp/rsyslog-test/fac_syslog
> user.* /tmp/rsyslog-test/fac_user
> uucp.* /tmp/rsyslog-test/fac_uucp
>
> Then you exactly know where what ends up. Make sure your authpriv is not
> dropped somewhere and load it early.
>
> [@ rsyslog.d]# cat /etc/rsyslog.d/06-secure.conf
> authpriv.* /var/log/secure
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Disable all rules/config, you have to make sure the events are not
deleted before you try to log it somewhere else. Use the logger (logger
-p 'user.info') command to verify if your syslog is logging the events
on the correct level. If it is there, sshd is not sending it.


[@ ~]# logger -h

Usage:
logger [options] [message]

Options:
-T, --tcp use TCP only
-d, --udp use UDP only
-i, --id log the process ID too
-f, --file <file> log the contents of this file
-h, --help display this help text and exit
-S, --size <num> maximum size for a single message (default 1024)
-n, --server <name> write to this remote syslog server
-P, --port <port> use this port for UDP or TCP connection
-p, --priority <prio> mark given message with this priority
-s, --stderr output message to standard error as well
-t, --tag <tag> mark every line with this tag
-u, --socket <socket> write to this Unix socket
-V, --version output version information and exit




-----Original Message-----
From: Wasil W. Siargiejczyk [mailto:szelga@yandex.ru]
Sent: Monday, October 19, 2020 8:59 AM
To: Marc Roos; rsyslog
Subject: Re: [rsyslog] sshd doesn't show failed login attempts in syslog
on CentOS 7

that's the problem, it doesn't appear anywhere.

```

$ cat /tmp/rsyslog-test/fac_authpriv
Oct 19 09:50:33 server04.company.name polkitd[18715]: Unregistered
Authentication Agent for unix-process:8758:3414157689 (system bus name
:1.3033641, object path /org/freedesktop/PolicyKit1/AuthenticationAgent,
locale en_US.UTF-8) (disconnected from bus)

```


as for that line, I have it:

```

$ cat /etc/rsyslog.conf | grep authpriv
*.info;mail.none;authpriv.none;cron.none /var/log/messages # The
authpriv file has restricted access.
authpriv.* /var/log/secure

```


11.10.2020 15:57, Marc Roos ?????:
>
> This line you need to have somewhere.
>
> authpriv.*
/var/log/secure
>
> What I always do to debug rsyslog, is create such a config
>
> [@ rsyslog.d]# cat /etc/rsyslog.d/00-debug-rsyslog.conf.bak
> *.=debug /tmp/rsyslog-test/lev_debug
> *.=info /tmp/rsyslog-test/lev_info
> *.=notice /tmp/rsyslog-test/lev_notice
> *.=warn /tmp/rsyslog-test/lev_warn
> *.=err /tmp/rsyslog-test/lev_err
> *.=crit /tmp/rsyslog-test/lev_crit
> *.=emerg /tmp/rsyslog-test/lev_emerg
>
> auth.* /tmp/rsyslog-test/fac_auth
> authpriv.* /tmp/rsyslog-test/fac_authpriv
> cron.* /tmp/rsyslog-test/fac_cron
> daemon.* /tmp/rsyslog-test/fac_daemon
> ftp.* /tmp/rsyslog-test/fac_ftp
> kern.* /tmp/rsyslog-test/fac_kern
> lpr.* /tmp/rsyslog-test/fac_lpr
> mail.* /tmp/rsyslog-test/fac_mail
> news.* /tmp/rsyslog-test/fac_news
> security.* /tmp/rsyslog-test/fac_security
> syslog.* /tmp/rsyslog-test/fac_syslog
> user.* /tmp/rsyslog-test/fac_user
> uucp.* /tmp/rsyslog-test/fac_uucp
>
> Then you exactly know where what ends up. Make sure your authpriv is
> not dropped somewhere and load it early.
>
> [@ rsyslog.d]# cat /etc/rsyslog.d/06-secure.conf
> authpriv.*
/var/log/secure


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.