LogLevel debug2 handshake logging only on some logins, not on every login of a user

Hildegard Meier daku8938 at gmx.de
Wed May 11 21:38:39 AEST 2022

> 2)  Is syslog-ng configured to relay the data? If yes, and using UDP,
> 	some log entries might simply be missing because of congestion.

I log locally, the syslog-ng config is plain simple:

source s_src {
       system();    # this is /dev/log on Linux
       internal();  # this is only for error messages from syslog-ng itself

filter f_local2 { facility(local2); };  # sshd is configured with "SyslogFacility local2"

filter f_ssh_auth_wanted {
    not level(debug)
    or  message("^debug2: MACs ctos: ")
    or  message("^debug1: kex: client->server cipher: ")
    or  message("^debug2: KEX algorithms: ")
    or  message("^debug2: host key algorithms: ")
    or  message("^debug1: kex: host key algorithm: ")
    or  message("^debug2: ciphers ctos: ");

destination d_ssh_auth {
    file("/var/log/app/ssh/auth.log" flush_lines(10) );

log {

# delete all other unwanted sshd debug messages (no destination = no action = "delete")
log {

I have no clue why the debug messages that match on the filter (e.g. "debug2: host key algorithms: ssh-rsa,ssh-dss [preauth]") are only logged _sometimes_ in /var/log/app/ssh/auth.log and not together with every "Accepted password" log entry.

More information about the openssh-unix-dev mailing list