1. Skip to Menu
  2. Skip to Content
  3. Skip to Footer>

พื้นที่ลงโฆษณา

Thin Client Server

พื้นที่ลงโฆษณา

Linux Authentication

พื้นที่ลงโฆษณา

Syslog-ng-SSH log

PDF Print E-mail

Written by Mr. Sontaya Photibut Saturday, 02 May 2009 15:07

การสร้าง SSH Logging ด้วย Syslog-ng

เราจะเห็นได้ว่าใน SUSE Linux Enterprise Server มีการเก็บ log file SSH ลงบน /var/log/messages ซึ่งทำให้อยากต้องการตรวจสอบ แนวทางแก็ไขก็คือสร้างที่เก็บ SSH log file นี่ใหม่ครับ.

1. สร้าง SSH log directory

# mkdir /var/log/sshd

2. สร้างไฟล์สำหรับเก็บ log

# touch /var/log/sshd/sshderr.log

# touch /var/log/sshd/sshd.log

3. แก้ไขไฟล์ syslog-ng.conf.in

# vim /etc/syslog-ng/syslog-ng.conf.in

 พิมพ์เพิ่มในบรรทัดสุดท้ายครับ

# SSH Filters
filter f_sshderr    { match('^sshd\[[0-9]+\]: error:'); };
filter f_sshd       { match('^sshd\[[0-9]+\]:'); };

# SSH Logging
destination sshderr { file("/var/log/sshd/sshderr.log"); };
log { source(src); filter(f_sshderr); destination(sshderr); flags(final); };

destination sshd { file("/var/log/sshd/sshd.log"); };
log { source(src); filter(f_sshd); destination(sshd); flags(final); };
:wq! 

รายละเอียด
Entry Description
# SSH Filters This line is a comment and only there for human readability/reminder.
filter f_sshderr { match('^sshd\[[0-9]+\]: error:'); }; This line sets a filter statement which will weed out the following strings "sshd: error:". Between the brackets any digits can exist there.
filter f_sshd { match('^sshd\[[0-9]+\]:'); }; This line sets a filter statement which will weed out the following strings "sshd:". Between the brackets any digits can exist there.
# SSH Logging This line is a comment and only there for human readability/reminder.
destination sshderr { file("/var/log/sshd/sshderr.log"); }; This line a destination for SSH errors i.e. /var/log/sshd/sshderr.log.
log { source(src); filter(f_sshderr); destination(sshderr); flags(final); }; This line combines the filter and the destination for logging.
destination sshd { file("/var/log/sshd/sshd.log"); }; This line a destination for all other SSH activities i.e. /var/log/sshd/sshd.log.
log { source(src); filter(f_sshd); destination(sshd); flags(final); }; This line combines the filter and the destination for logging.
 4. สั่ง Generating syslog-ng
# SuSEconfig
5. Restart syslog-ng daemon
# rcsyslog restart หรือ service syslog restart
6. ตรวจสอบ log SSH
ทดสอบโดยการที่คุณลอง ssh มาที่เครื่องที่คุณได้ config ไว้หลังจากนั้นให้ใช้คำสั่ง tail -f ในการตรวจสอบ
เช่น tail -f /var/log/sshd/sshderr.log
7.  สร้าง  logrotate
# vim /etc/logrotate.d/sshd

/var/log/sshd.log /var/log/sshderr.log {
compress
dateext
maxage 365
rotate 99
size=+400k
notifempty
missingok
copytruncate
create 640 root root
sharedscripts
postrotate
/etc/init.d/syslog reload
endscript

}

 

Ref : http://www.novell.com/communities/ 

 
 

 

 

 


Comments (0)Add Comment
feedSubscribe to this comment's feed

Write comment

security code
Write the displayed characters


busy
 

SUSE Linux Enterprise Cool Solutions

  • Watch the future of Retail

    On YouTube I've published a three-part video of a presentation I did in early July 2010 to IBM retail partners. The sound volume is a bit low, and this was all recorded with a little flip mino camera, so please excuse the bad quality.

    The three video snippets are mainly intended for any of you who want to use Linux in retail as a solution provider and are wondering how solutions from Novell can help you be more successful.

    Nevertheless, especially the first part about how we see the future of the Point of Service might also be interesting to you if you are a decision maker in retail or just curious about how the future in retail IT may look like.

    The new features in SUSE Linux Enterprise Point of Service 11 Service Pack 1 are only mentioned briefly in this presentation. Watch out for more blog posts to come on Service Pack 1.

    This is Joachim Werner blogging live from the SUSE offices in Nuremberg, Germany.

    http://www.youtube.com/watch?v=WdYEeLIou7s
    http://www.youtube.com/watch?v=3Awr3tPpo2Y
    http://www.youtube.com/watch?v=pwwKpoEI9GI

  • Create an Appliance with SUSE Studio -- you could win $10,000

    They're looking for inventive minds to build the most innovative software appliances. Publish your unique appliance to the new SUSE® Gallery™ and enter into a contest to win $10,000!

    The contest runs from July 27 - September 30, 2010, so brush off your mad skills and pop on over here for all the details.

    It must not be too hard.... in the past year, more than 400,000 Linux appliances were built using SUSE Studio, with nearly 3 million downloads. SUSE Gallery is the place to strut your stuff and show off the appliances you have built with SUSE Studio. It also serves as a centralized online showcase where SUSE Studio users can browse and use both commercial and community-oriented appliances.

    Good luck! Make Cool Solutions proud.

  • See us at SHARE, Boston!

    The next SHARE event is approaching quickly - it takes place in Boston from August 1-5 at Hynes Convention Center: http://www.share.org/Events/UpcomingConference/tab...

    If you are attending, don´t miss the chance to meet our experts for System z, and visit us at Booth #319. To name just a few, watch out for Kim Lorusso (IBM Alliance Marketing Manager and Cool Blogger), Patrick Quairoli (Technical Alliance Manager), Marcus Kraft (Linux on mainframe "pioneer" and Product Manager for SUSE Linux Enterprise Server for System z), David Getzin (Partner Executive for IBM), John Jolly (Sys z Architect), and others. Chat with them about the SUSE Linux Enterprise Consolidation Suite tailored for IBM Solution Edition for Enterprise Linux. Don´t know what that is? Read more here: http://www.novell.com/products/systemz/els.html
    And get the latest about the new zEnterprise System - you bet that will be one of the "ruling" topics.

    Or listen to Mike Friesenegger, one of our most experienced Technical Specialists, when he talks about "ASP.NET on zLinux: A New Workload" (Tues Aug 3, 9:30-10:30AM, Room 305) and about how to " Implement the SUSE Linux Enterprise High Availability Extension on System z" (Tues Aug 3, 11AM-12PM, Room 208). And you´ll have the opportunity to hear from customers like Nationwide Insurance why and how they use SLES for System z.

    And as a side note - for those who have travel constraints and cannot attend personally, SHARE offers the option to participate online - just check out http://www.share.org/Events/UpcomingConference/SHA...

  • IBM zEnterprise System - Get the hard facts

    This week on Thursday IBM made a ground-breaking announcement about the revolutionary zEnterprise System - you might have read my article here on Cool Solutions:
    http://www.novell.com/communities/node/11670/ibm-f...

    Curious now about getting details and some hard facts? Just download the data sheet from IBM and see how it works. Want to discuss how this new system relates to SUSE Linux Enterprise ? Leave a comment or drop me an email at chabow@novell.com

    AttachmentSize
    11394070.pdf385.48 KB
  • What do you think about this country/language selector?

    The web team at Novell is tweaking the way people choose the language they want to read the website in. (Of course, this doesn't affect this communities section, which is only provided in English. But it does affect a lot of the marketing pages on novell.com. )

    We'd like your feedback, especially if you like to read the rest of Novell.com in a language other than English. Take a look at this design, and let us know what you think by posting comments.

    Thanks for your input!

    View design here.

Sponsors List