Package: dsyslog
Version: 0.6.0+b1
Severity: normal
condition pattern { facility "auth*"; };
I think that the above directive is supposed to send auth and authpriv
to /var/log/auth.log
The experience on my system was that using pattern { facility "auth*"; }
did not log ssh failures to /var/log/auth.log
The attached diff gives the final solution I came to in detail but I might
elaborate here also.
Changing the condition pattern to be instead:
condition literal { facility auth; };
would have some but not all ssh failure logging going to /var/log/auth.log
To ensure authpriv goes to /var/log/auth.log aswell I then added
output file { path "/var/log/auth.log"; condition literal { facility
authpriv; }; };
And that almost did the job but some messages were still not making it
into /var/log/auth.log so I added a final line:
output file { path "/var/log/auth.log"; condition literal { program sshd; };
};
The end result was that output file /var/log/auth.log is defined 3 times
(repeated definition of output file is okay I think)
in order to achieve the original intention of default dsyslog.conf
in condition pattern { facility "auth*"; };
I have two Desktops and two servers running squeeze and will
be happy to retest things if further examples are beneficial.
I like dsyslog and am very grateful to the package maintainer for
making it available in Debian.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.18-194.3.1.el5xen (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages dsyslog depends on:
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libglib2.0-0 2.24.1-1 The GLib library of C routines
ii libgnutls26 2.8.6-1 the GNU TLS library - runtime libr
Versions of packages dsyslog recommends:
ii logrotate 3.7.8-6 Log rotation utility
Versions of packages dsyslog suggests:
pn dsyslog-module-gnutls <none> (no description available)
pn dsyslog-module-mysql <none> (no description available)
pn dsyslog-module-postgresql <none> (no description available)
-- Configuration Files:
/etc/dsyslog.conf changed:
/*
* dsyslog example config for Debian.
*
* Comments are either C-style (like this block), C++ style (//) or
* shell style (#).
*
* This file serves to be a drop-in replacement for most sites using
* sysklogd. For the uninitiated, dsyslog creates a series of streams
* which go from sources and get routed to many sinks. In between, there
* are filters, which act on all messages, and conditionals, which control
* whether or not an output accepts that message. This can be compared to
* for example syslog-ng's architecture.
*
* So, it's a little different than traditional sysklogd.
*/
/*
* loadmodule controls what modules are loaded into dsyslog.
*/
loadmodule "source_localsock.so";
loadmodule "source_mark.so";
loadmodule "source_klogfile.so";
loadmodule "source_udp.so";
loadmodule "filter_dropprog.so";
loadmodule "filter_droppriority.so";
loadmodule "filter_regexp.so";
loadmodule "output_file.so";
loadmodule "output_udp.so";
loadmodule "cond_literal.so";
loadmodule "cond_pattern.so";
/*
* sources define where dsyslog gets it's data:
* this one adds the syslogd socket.
*/
source localsock { path "/dev/log"; };
/*
* this one adds the kernel log buffer, /proc/kmsg.
*/
source klogfile { path "/proc/kmsg"; };
/*
* this one adds a source that generates "-- MARK --" which
* runs on a timer. it is for those who found that feature useful
* in syslogd.
*/
source mark;
/*
* this one adds a udp listener. as such it's commented out.
*/
/*
* you can use the dropprog filter to drop syslog messages
* from programs you don't care about entirely. for example,
* to drop logs from NetworkManager, uncomment the line below.
*/
/*
* you can also use the droppriority filter to drop syslog messages by
* BSD syslog facility and severity. At present, you must specify both.
*/
/*
* you can also filter by regexp; thanks to micah for the regexp.
* if enabled, this will replace all IPv4 IPs in your logs with 0.0.0.0.
*
* in some countries, it is recommended to do this, and infact is generally
* considered a best practice. in several countries (USA, UK, etc), ip addresses
* are seen as personal data and are covered under privacy protection laws.
* by filtering them, you may not be subject to those laws.
*/
output file {
path "/var/log/auth.log";
condition literal { facility auth; };
};
output file { path "/var/log/auth.log"; condition literal { facility
authpriv; }; };
output file { path "/var/log/auth.log"; condition literal { program sshd; };
};
output file {
path "/var/log/syslog";
condition pattern { facility "!auth*"; };
};
output file {
path "/var/log/cron.log";
condition literal { facility cron; };
};
output file {
path "/var/log/daemon.log";
condition literal { facility daemon; };
};
output file {
path "/var/log/kern.log";
condition literal { facility kernel; };
};
output file {
path "/var/log/lpr.log";
condition literal { facility lpr; };
};
output file {
path "/var/log/mail.log";
condition literal { facility mail; };
};
output file {
path "/var/log/user.log";
condition literal { facility user; };
};
output file {
path "/var/log/messages";
condition literal { facility !kernel; };
};
/*
* MySQL example. You need dsyslog-module-mysql installed for this.
*/
/*
* PostgreSQL example. You need dsyslog-module-postgresql installed for this.
*/
-- no debconf information
85,86c85
< # condition pattern { facility "auth*"; };
< condition literal { facility auth; };
---
> condition pattern { facility "auth*"; };
88,89d86
< output file { path "/var/log/auth.log"; condition literal { facility authpriv; }; };
< output file { path "/var/log/auth.log"; condition literal { program sshd; }; };