Aw: Re: LogLevel debug2 handshake logging only on some logins, not on every login of a user
philipp at marek.priv.at
Wed May 11 15:57:10 AEST 2022
>> 1) verifying that sshd is actually doing this (maybe via strace or
> Could someone please lead me how exactly to do this? I would be really
> glad to check if sshd really always sends the debug log to syslog-ng
> for every "Accepted password" line,
> to pin this issue down.
Use a command like
strace -f -tt -s 200 -o /tmp/logfile.txt -p <pid of sshd>
Then you'd have to verify what gets written in the logfile to the data
in your syslog.....
Also, everything the users do is in the logfile -- that might make
that approach unsuitable as well.
> The log looks like this in 46 cases yesterday, and only in one case I
> see the debug log lines (e.g. "debug1: kex: host key algorithm:
> ssh-rsa [preauth]") between the
> "Connection from" and "Accepted password" log lines, for the session
> (same PID).
> There are also not only some lines missing some times, the log just
> misses all of the session corresponding debug log lines, or all are
1) Do you have a per-client configuration in your sshd_config?
Look for a "Match" block, also in included files.
2) Is syslog-ng configured to relay the data? If yes, and using UDP,
some log entries might simply be missing because of congestion.
3) I'd be happy to take a look at a log file (send it privately);
if you're not happy about that, I'd fully understand.
(I don't have a script ready to anonymize such log files, sadly -
and TBH, changing the one I have for HTTP access logs right now is
too much effort, and might also go wrong.)
More information about the openssh-unix-dev