sshd is not reporting on 'AUTH' facility
Looking at sshd default config you will notice that SyslogFacility is
commented out and indicates that sshd is reporting as ‘AUTH’.
But sshd is not reporting as ‘AUTH’! Not
even when you uncomment the ‘SyslogFacility AUTH’ section in
/etc/ssh/sshd_config.
# grep -i facility /etc/ssh/sshd_config
#SyslogFacility AUTH
The problem can be recreated with:
# apk version -v | grep -i "^openssh"
openssh-client-5.6_p1-r1 = 5.6_p1-r1
openssh-5.6_p1-r1 = 5.6_p1-r1
There is no problem with (aka. works fine in):
# apk version -v | grep -i "^openssh"
openssh-client-5.2_p1-r3 < 5.3_p1-r0
openssh-5.2_p1-r3 < 5.3_p1-r0
There is no problem with (aka. works fine in):
# apk version -v | grep -i "^openssh"
openssh-client-5.3_p1-r0 = 5.3_p1-r0
openssh-5.3_p1-r0 = 5.3_p1-r0
This is how I found the bug:
On a host that is supposed to gather all logs
apk add sysklogd
Make sure that /etc/syslog.conf has the following record:
auth,authpriv.* /var/log/auth.log
Make sysklogd listen to other hosts (/etc/conf.d/sysklogd):
SYSLOGD="-m 0 -r"
Start tailing /var/log/auth.log
Next we need to tell the other linux boxes to send their logs to this
‘logging server’.
(If the remote box is using sysklogd then add the following to
/etc/syslogd.conf)
*.* @IP.TO.LOG.SRV
The logserver still gets all logs (they end up in /var/log/syslog), so I get the sshd logs to the logserver, they just dont end up in the right place because the LogFalility is wrong.
I assume you should be able to do this debugging with a single box, but I described how I noticed the error just in case the error is related to remote logging.
(from redmine: issue id 604, created on 2011-04-28, closed on 2011-09-15)