I was wondering, is there anyway I can change the appearance of sshd logs output in /var/log/sshderr.log and /var/log/sshd.log. Right now, its showing as such:
sshd[4857]: error: PAM: Authentication failure for it.sysadm from cijXXX.jp.mitsubishi-motors.com
sshd[4249]: Accepted keyboard-interactive/pam for root from 191.255.XXX.XXX port XXXXX ssh2
I am fine with the results above, but the customer had a weird request to ensure that IP addresses don't show up, instead they want "host names" to appear in the IP address column. Is this even possible?
My host file has a bunch of servers DNS added in it, so it makes sense if I SSH from box A to box B and the ssh logs print out host name instead of IP address. But I don't understand how to make this possible with the rest of the world! I already said no but they're not taking no for an answer
In the Suse box, most parameters in /etc/sshd/sshd_config are already commented out. I am using SUSE Linux Enterprise Server 10 (x86_64)
Appreciate if someone could help me out on this. Thank you
---------- Post updated at 01:13 PM ---------- Previous update was at 12:22 PM ----------
There's been an update for the request above.
So now would it be possible to identify the machine from where user ssh'd into the servers for both successful and failed logins?
e.g
sshd[5655]: Accepted keyboard-interactive/pam for root from 191.255.128.119 priti-pc port 55462 ssh2
it is not a very bright idea to me. you can try with syslog-ng but im not sure.even if you can able to the dns resolution so it requires extra times and may create the tail of the log.you must tell to him.
I agree with you, because already IP addresses are captured and I hate to mess up something I don't know how to fix later. But if I were to do it, how do i go by it? My sshd setting in syslog-ng.conf.in is as such:
i m not sure but maybe you can try this in your conf..
options {
# Check client hostnames for valid DNS characters
check_hostname (yes);
# Specify whether to trust hostname in the log message.
# If "yes", then it is left unchanged, if "no" the server replaces
# it with client's DNS lookup value.
keep_hostname (yes);
# Use DNS fully qualified domain names (FQDN)
# for the names of log file folders
use_fqdn (yes);
use_dns (yes);
# Cache DNS entries for up to 1000 hosts for 12 hours
dns_cache (yes);
dns_cache_size (1000);
dns_cache_expire (43200);
};
Which config file do i add that to...my nsswitch conf file?
---------- Post updated at 11:05 AM ---------- Previous update was at 10:39 AM ----------
hi again ygemici
I edited my options in /etc/syslog-ng/syslog-ng.conf.in and run SuSEconfig command after adding the options you provided but at best I am still getting IPs instead of DNS so I am guessing these IP addresses are not mapped to the DNS of this server
Apr 5 11:18:08 src@testlinux.site sshd[21867]: error: PAM: User not known to the underlying authentication module for illegal user test from testlinux.site
Apr 5 11:18:08 src@testlinux.site sshd[21867]: Failed keyboard-interactive/pam for invalid user test from 10.160.11.10 port 60394 ssh2
testlinux:~ # service syslog restart
Shutting down syslog services done
Starting syslog services done
testlinux:~ # cat /etc/resolv.conf
nameserver 203.115.1XX.XX
nameserver 203.115.1XX.XX
search site
Somehow I think this is impossible to achieve both outputs, I can either have hostname or IP showing. Can you show how me how you manage to get IP and hostname?
Apr 6 10:24:26 ciXXX sshd[10485]: error: PAM: Authentication failure for root from XXXXX.jp.mitsubishi-motors.com-----------when I ssh from another server to this server
Apr 6 10:26:06 ciXXX sshd[10485]: Accepted keyboard-interactive/pam for root from 10.17.XXX.1XX port 47898 ssh2--------------when I ssh from another server to this server
Apr 6 10:27:16 ciXXX sshd[10626]: Accepted keyboard-interactive/pam for root from 191.255.1XX.XXX port 63374 ssh2-------------------when I ssh from SecureCRT from my desktop
i suppose syslog-ng with "use_dns" does not resolve all IPs to names in the logs.
i think, "use_dns(yes)" resolves only "$HOST_FROM" variable(that is from remote ssh client[if remote ssh cl send to that] ,
syslogd-ng receives it and resolv the IP source to NAME if it is possible,other remaining log generates by local sshd)
in the sshd error.log seems resolved to names, but that is done by sshd itself(useDNS yes).
maybe you can use a little script
#!/bin/bash
cp sshd.log sshdn.log
awk '/Accepted/{a[$(NF-3)]++}END{for(i in a)print i}' sshdn.log|\
while read -r IP ; do
IPn=$(dig +short -x $IP)
sed "/Accepted/s/$IP/$IPn/" sshdn.log >sshdnn.log && mv sshdnn.log sshdn.log
done
more sshdn.log
thank you ygemici, for taking your time in helping me sort out this issue. I am so very grateful! BTW, the useDNS works fine with WTMP logs, I can get both the IP and the hostname (I think this has to do with something the network guy changed at his end, but I cant say what we're doing is in any way secure)
Your script worked like charm, heres my before and after results
BEFORE
testlinux:/var/log/sshd # more sshd.log
Apr 6 10:55:40 src@testlinux.site sshd[29089]: Received signal 15; terminating.
Apr 6 10:55:40 src@testlinux.site sshd[29674]: Server listening on 0.0.0.0 port 22.
Apr 6 10:57:41 src@testlinux.site sshd[29696]: Accepted keyboard-interactive/pam for root from 191.255.1XX.XXX port 63470 ssh2
Apr 10 10:14:36 src@testlinux.site sshd[16795]: Accepted keyboard-interactive/pam for root from 191.255.1XX.XXX port 51735 ssh2
AFTER
testlinux:/var/log/sshd # ./test
Apr 6 10:55:40 src@testlinux.site sshd[29089]: Received signal 15; terminating.
Apr 6 10:55:40 src@testlinux.site sshd[29674]: Server listening on 0.0.0.0 port 22.
Apr 6 10:57:41 src@testlinux.site sshd[29696]: Accepted keyboard-interactive/pam for root from my-cXXXX.myhq.XXXX.com.my. po
rt 63470 ssh2
Apr 10 10:14:36 src@testlinux.site sshd[16795]: Accepted keyboard-interactive/pam for root from my-cXXXX.myhq.XXXX.com.my. po
rt 51735 ssh2