LogLevel debug2 handshake logging only on some logins, not on every login of a user
Hildegard Meier
daku8938 at gmx.de
Thu May 12 01:51:57 AEST 2022
> Gesendet: Dienstag, 10. Mai 2022 um 03:21 Uhr
> Von: "Damien Miller" <djm at mindrot.org>
> I'd suggest the next steps in figuring this out are:
>
> 1) verifying that sshd is actually doing this (maybe via strace or
> similar?)
I startet sshd with "-E /var/log/app/ssh/debug.log"
and in that log vor every "Accepted password" message there is one corresponding debug log message,
so that log is as expected, unfortunately without timestamps, PIDs etc.
> 2) verifying that syslogd isn't eating the log entries after sshd
> sends them.
If the same log entries like that are written with "-E /var/log/app/ssh/debug.log" are written to /dev/log (what seems to be according to the strace), I think the eating of the debug log messages could be a systemd issue (because /dev/log is a symlink to /run/systemd/journal/dev-log nowadays),
or a syslog-ng issue. The non-debug messages are continiously logged as expected.
I tried dozens of configuration tweeks with syslog-ng local file logging, without any change of behavior.
More information about the openssh-unix-dev
mailing list