From owner-freebsd-questions@FreeBSD.ORG  Mon Sep 16 18:44:10 2013
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 3660A1C5
 for <freebsd-questions@freebsd.org>; Mon, 16 Sep 2013 18:44:10 +0000 (UTC)
 (envelope-from aurikus@gmail.com)
Received: from mail-la0-x233.google.com (mail-la0-x233.google.com
 [IPv6:2a00:1450:4010:c03::233])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9ED3F2433
 for <freebsd-questions@freebsd.org>; Mon, 16 Sep 2013 18:44:09 +0000 (UTC)
Received: by mail-la0-f51.google.com with SMTP id lv10so3424014lab.24
 for <freebsd-questions@freebsd.org>; Mon, 16 Sep 2013 11:44:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=L8rPmLrNvMDI1Dmg0CsMUSo6eFAZEuW1li7yQq8PwoU=;
 b=gByJNFNhqXzbHnsM7F5fxfaqxcmVoqHnduAzcgPvJRw7sAJSfwq1HYQKIJz6/vz7/V
 6Ltj7AWF/iXarrrCnKosVBvmK4AaFY6IOE+OCBTnlRwhM8agouI12JSDkoj+LycEss7H
 sv1I3pM3dFnciOHdDkex2Ty4/vI4aNFDkvElH2X1N8O8apyt0MLX3eot8MUkicbASu6o
 EjD2YLM1KH+d1F0HoB3Um/8LYqKS569du+NZ1tUDpt7S3JVFJ4aHpT9H5G2sxqSoenU1
 G5YQwe6aIaGfaTTgzToJYzrmvc+bXP9ZyBc9Hdng6VrM0xVG91jW3hyGQ4waVKrWL3w5
 rCUw==
MIME-Version: 1.0
X-Received: by 10.152.10.99 with SMTP id h3mr26438070lab.13.1379357047628;
 Mon, 16 Sep 2013 11:44:07 -0700 (PDT)
Received: by 10.114.174.13 with HTTP; Mon, 16 Sep 2013 11:44:07 -0700 (PDT)
In-Reply-To: <CAHzLAVEtM=8rhcd4s-sjJ2Kcoy-RnOpxgJTCWOHaT_r85h2p8w@mail.gmail.com>
References: <CAPzqM6D=hy9P-N3TwLZQAbPp4bU_Sp57-LN-DmLaBkD_3jQSTg@mail.gmail.com>
 <CAHzLAVH+DU67cYt9vQB9BSRor8HgsL=A_HxFGbXpPaG-0ukEFQ@mail.gmail.com>
 <CAPzqM6Duoe5qOPevqHPrXG=+q5u=AYrBe88yKH5ksAx76ac=aw@mail.gmail.com>
 <CAHzLAVE96vJK3ni1=WoSbiChODa7PhWhghLOKTXHNw9qnVM3=A@mail.gmail.com>
 <CAPzqM6CL=LJA9MHnKW8NS7=Y_36NgeGuJCSt98zUedAvmCfKww@mail.gmail.com>
 <CAHzLAVEtM=8rhcd4s-sjJ2Kcoy-RnOpxgJTCWOHaT_r85h2p8w@mail.gmail.com>
Date: Mon, 16 Sep 2013 20:44:07 +0200
Message-ID: <CAPzqM6B0dfS=0_V=6nnZwc6m+SVQDN=R6TaG37hP4rf6z9rTjQ@mail.gmail.com>
Subject: Re: how to log sshd access in a single file
From: aurikus grande <aurikus@gmail.com>
To: Rick Miller <vmiller@hostileadmin.com>
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.14
Cc: FreeBSD Questions <freebsd-questions@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2013 18:44:10 -0000

>Most web servers handle their own logging.
I do _not_ want the web server acces to be logged (at least as of now).

>Have you looked at /var/log/auth.log?
yes, and as you mentioned in your previous update, it logs the success
login (only). Unsuccessfull attempts are being sent to  /var/log/messages .
So there are 2 separate files. I would like to have all sshd access
attempts in one single file - regardless if they are successfull or
unsuccessfull.

Quotation: "I believe FreeBSD defaults to failed ssh authentication is
logged to /var/log/messages while successful authentication is written to
/var/log/auth.log."

>Can you elaborate on your reasons for running sshd via inetd? I'm curious
as I've never even heard of anyone attempting this.
When i searched how to setup / configure sshd on internet, i found many
hints to start it using inetd. Since it worked for me there was no reason
to change it.

Best regards,
aurikus


2013/9/16 Rick Miller <vmiller@hostileadmin.com>

> On Mon, Sep 16, 2013 at 1:57 PM, aurikus grande <aurikus@gmail.com> wrote:
>
>> Hello Rick,
>>
>> sorry that i did not reply to all, from now on i will use "reply to all".
>> Thanks for pointing it out.
>>
>> I will also open port 80 for web access, but i do not want to log those.
>> Because i expect a huge amount of traffic on my server.
>>
>
> Most web servers handle their own logging.
>
> So i only want to log successfull and unsuccessfull sshd access.
>>
>
> Have you looked at /var/log/auth.log?
>
> twist is part of the FreeBSD 9.1 base installation, i did not yet install
>> any other package.
>>
>
> That was my mistake, I sent the email before editing that out as I had
> intended.
>
> The idea behind using hosts.allow was because i could specify the rule by
>> the service (and not by the level of the message).
>>
>> And yes, in my case sshd is configured to run via inetd.
>>
>> You are correct, my main goal is to log all failed sshd attempts. If it
>> is easier to log successfull and failed attempts (to the same file), this
>> would also be fine for me.
>>
>
> Can you elaborate on your reasons for running sshd via inetd?  I'm curious
> as I've never even heard of anyone attempting this.
>
>
> --
> Take care
> Rick Miller
>