From owner-freebsd-questions Thu Aug 2 12:24:14 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mtiwmhc23.worldnet.att.net (mtiwmhc23.worldnet.att.net [204.127.131.48]) by hub.freebsd.org (Postfix) with ESMTP id 3C1F337B401 for ; Thu, 2 Aug 2001 12:24:10 -0700 (PDT) (envelope-from parv@worldnet.att.net) Received: from worldnet.att.net ([32.100.199.185]) by mtiwmhc23.worldnet.att.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20010802192407.EJSB8490.mtiwmhc23.worldnet.att.net@worldnet.att.net>; Thu, 2 Aug 2001 19:24:07 +0000 Received: by worldnet.att.net (Postfix, from userid 1001) id 9C2E150B93; Thu, 2 Aug 2001 15:24:04 -0400 (EDT) Date: Thu, 2 Aug 2001 15:24:04 -0400 From: parv To: "R. Fong Poen" Cc: freebsd-questions@FreeBSD.ORG Subject: Re: SSH access lof file Message-ID: <20010802152404.B21275@moo.holy.cow> Mail-Followup-To: "R. Fong Poen" , freebsd-questions@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: ; from r.fongpoen@igr.nl on Thu, Aug 02, 2001 at 08:42:22PM +0200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG this was, on the fateful occasion around Aug 02 14:42 -0400, sent by R. Fong Poen > ... > To maintain my server I use SSH1. > However, I would like to know who logged in using SSH. > in the file /etc/ssh/ssh_config I would have: > > SyslogFacility AUTH > LogLevel INFO > > in the file /etc/syslog.conf I can set everything to be logged in 1 file > using: > > # uncomment this to enable logging of all log messages to /var/log/all.log > *.* /var/log/all.log > > If I log everything to 1 log file the SSH log entries are there but what a > extra big file this would become. > > Aug 2 19:27:49 www sshd[212]: log: Server listening on :: port 722. ... > Aug 2 19:28:46 www sshd[230]: raymond from a122346.upc-a.chello.nl > (password authentication accepted) > > Is there a possibility to have all activity from SSH logged in a separated > file. > > I have tried the following in the file /etc/syslog.conf > > # SSH > ssh.* /var/log/ssh_log > and sshd.* /var/log/ssh_log > > Both do not work ... first of all did you take a look at syslogd man page? the interesting part here is the -v option. use once, you get facility.level numbers, use twice and you get facility.level names in the logs. did you try this... # a security,auth,authpriv.=>info /var/log/auth_log ...or, just... # b auth.=>info /var/log/auth.log ...or, may be even this (daemon=local3)... # c daemon.* /var/log/daemon # d !ssh.* /var/log/ssh_log !sshd.* /var/log/sshd_log - a (& b) will catch, almost, all the login procedure - c will log logs generated by daemons, but that's almost as bad as *.* depending on your other log options - d may or may not work -- so, do you like word games or scrabble? - parv To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message