Aw: Re: LogLevel debug2 handshake logging only on some logins, not on every login of a user

[Philipp Marek]

>> 1) verifying that sshd is actually doing this (maybe via strace or
>> similar?)
> 
> Could someone please lead me how exactly to do this? I would be really
> glad to check if sshd really always sends the debug log to syslog-ng
> for every "Accepted password" line,
> to pin this issue down.

Use a command like

	strace -f -tt -s 200 -o /tmp/logfile.txt -p <pid of sshd>

Then you'd have to verify what gets written in the logfile to the data
in your syslog.....

Also, everything the users do is in the logfile -- that might make
that approach unsuitable as well.


> The log looks like this in 46 cases yesterday, and only in one case I
> see the debug log lines (e.g. "debug1: kex: host key algorithm:
> ssh-rsa [preauth]") between the
> "Connection from" and "Accepted password" log lines, for the session 
> (same PID).
> There are also not only some lines missing some times, the log just
> misses all of the session corresponding debug log lines, or all are
> there.

1)  Do you have a per-client configuration in your sshd_config?
	Look for a "Match" block, also in included files.

2)  Is syslog-ng configured to relay the data? If yes, and using UDP,
	some log entries might simply be missing because of congestion.

3)  I'd be happy to take a look at a log file (send it privately);
	if you're not happy about that, I'd fully understand.
	(I don't have a script ready to anonymize such log files, sadly -
	and TBH, changing the one I have for HTTP access logs right now is
	too much effort, and might also go wrong.)