LogLevel debug2 handshake logging only on some logins, not on every login of a user
Philipp Marek
philipp at marek.priv.at
Wed May 11 20:41:15 AEST 2022
> I just had a sshd session with PID 32322 which lacked the debug log
> message.
>
> The strace (exactly the command you stated above) looks for me like
> the debug log messages are written to /dev/log
> But I am no strace reading expert. Does this strace look healthy like
> the logging to /dev/log works for the debug log messages?
> 32322 08:19:16.728548 sendto(4, "<151>May 11 08:19:16 sftpd[32322]:
> debug2: MACs ctos:
> hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at o
> penssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-et"...,
> 466, MSG_NOSIGNAL, NULL, 0 <unfinished ...>
> 32322 08:19:16.729521 sendto(4, "<151>May 11 08:19:16 sftpd[32322]:
> debug2: MACs stoc:
> hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at o
> penssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-et"...,
> 466, MSG_NOSIGNAL, NULL, 0 <unfinished ...>
If one of these messages didn't arrive in your logfile, then UDP packet
loss
looks like a good explanation.
>> 2) Is syslog-ng configured to relay the data? If yes, and using UDP,
>> some log entries might simply be missing because of congestion.
> Yes local syslog-ng filters the relevant debug messages (facility
> local2) and sends them via UDP to a remote syslog-ng server.
My "man rsyslog.conf" says
omrelp
Output module for the reliable RELP protocol (prevents message loss)
Even TCP can lose messages: the ones in transmit when a connection
breaks.
More information about the openssh-unix-dev
mailing list