MonitorWare Knowledge Base

In syslog you have lines like this:

Aug 23 13:21:19 stagshoot01 sshd[15151]: Accepted keyboard-interactive/pam for root from ::ffff:192.168.100.235 port 53939 ssh2
Aug 23 13:21:19 stagshoot01 sshd[15154]: (pam_unix) session opened for user root by root(uid=0)

In rsyslog you have lines like this:
12:17:01 4 INFO SL stagshoot01 (pam_unix) session opened for user root by (uid=0)
12:17:01 9 INFO SL stagshoot01 (root) CMD ( run-parts --report /etc/cron.hourly)
12:17:01 4 INFO SL stagshoot01 (pam_unix) session closed for user root

How come i don't get the remote host in rsyslog?

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

The rsyslog.conf is really simple:

*.* > 192.168.1.10,dbname,username,password

Not sure if I got the point. Did you mean the message is

Accepted keyboard-interactive/pam for root from ::ffff:192.168.100.235 port 53939 ssh2

is missing if you are using rsyslog for loggging instead of syslogd?

Michael

mmeckelein wrote:Not sure if I got the point. Did you mean the message is

Accepted keyboard-interactive/pam for root from ::ffff:192.168.100.235 port 53939 ssh2

is missing if you are using rsyslog for loggging instead of syslogd?

Michael

I can confirm this bug. The exact same thing is happening to me. The line beginning with "Accepter keyboard-..." is missing when using rsyslog.

version info:

rsyslogd 1.13.0, compiled with:
FEATURE_PTHREADS (dual-threading)
FEATURE_REGEXP
FEATURE_DB
FEATURE_LARGEFILE
FEATURE_NETZIP (syslog message compression)
SYSLOG_INET (Internet/remote support)

Somehow I seem to have overlooked this post (and probably some others...).

Could you run rsyslog in debug mode (-d -n interactively) while such a message arrives? If possible, it would also be useful if you could use the DEBUG template.

Rainer

I'll see what I can do. Don't expect me to answer any time soon though.
I'm going ski-ing for two week on wednesday
I'll do some debugging after I get back.

Happy skiing