Syslog/ssh daemon tweak under Slackware 15.0
by HicEtNunc from LinuxQuestions.org on (#6NZHH)
I have a Slackware 15.0 which is connected both to an internal network and to the Internet. With the default syslog/sshd configuration in Slackware 15.0 all of the logs generated by the OpenSSH daemon are logged to /var/log/messages.
I have changed things so that such logs are instead sent to /var/log/sshd.log, by means of the following:
1. Inserted the line
SyslogFacility LOCAL0
into /etc/ssh/sshd_config.
2. In /etc/syslog.conf changed the line
*.info;*.!warn; authpriv.none;cron.none;mail.none;news.none -/var/log/messages
to
*.info;*.!warn; authpriv.none;cron.none;mail.none;news.none;local0.none -/var/log/messages
3. Restarted the OpenSSH and syslog daemons.
The above works, in that all of the logs generated by the OpenSSH daemon are sent to /var/log/sshd.log, rather than /var/log/messages. I need help with the following:
For reasons that are not relevant to this discussion this system registers frequent SSH connections from other hosts in the same network (192.168.0/24), and also from hosts in the Internet. I would like to be able to segregate logs resulting from SSH connection attempts: those resulting from hosts in the same network would go to /var/log/ssh_local.log, while those from the Internet would go to /var/log/ssh_external.log.
Anybody know whether syslog and OpenSSH can be configured to do this, and if so, how?
I have changed things so that such logs are instead sent to /var/log/sshd.log, by means of the following:
1. Inserted the line
SyslogFacility LOCAL0
into /etc/ssh/sshd_config.
2. In /etc/syslog.conf changed the line
*.info;*.!warn; authpriv.none;cron.none;mail.none;news.none -/var/log/messages
to
*.info;*.!warn; authpriv.none;cron.none;mail.none;news.none;local0.none -/var/log/messages
3. Restarted the OpenSSH and syslog daemons.
The above works, in that all of the logs generated by the OpenSSH daemon are sent to /var/log/sshd.log, rather than /var/log/messages. I need help with the following:
For reasons that are not relevant to this discussion this system registers frequent SSH connections from other hosts in the same network (192.168.0/24), and also from hosts in the Internet. I would like to be able to segregate logs resulting from SSH connection attempts: those resulting from hosts in the same network would go to /var/log/ssh_local.log, while those from the Internet would go to /var/log/ssh_external.log.
Anybody know whether syslog and OpenSSH can be configured to do this, and if so, how?