The attached modification to log-server.c
add a "tag" to all the
syslog output. The tag is a composite of
the internal verbose level names used in sshd and the
external syslogd names.
The form of the tag is as follows.
ssh_internal_name(syslog_priority)
This might be instructive for a learning sysadmin
trying to setup syslog for sshd logging.
(I have posted earlier about the
mimsatch of the symbolic names used in sshd_config
to control verbosity, and the symbolic priority names used in
syslog.conf.
This confused me quite a lot during syslogd setup.
Documented at :
http://www.yk.rim.or.jp/~ishikawa/ssh-log-dir/ssh-log-patch.html
In a nutshell, the confusion may stem from the usage of
syslog-priority names for both the verbosity control and
trying to use it for syslog(). Anyway, the current
state seems to be much better
than the original ssh where the control was very primitive.
I wish it can now become much easier to
configure for the sysadmin to set up syslogd properly.
It may not be easy to change the symblic names
used in sshd_config now that openssh seems to be used
by very many users. So I haven't touch the code in this post to
modify the names used for sshd_config.
RCS file: RCS/log-server.c,v
retrieving revision 1.1
diff -c -r1.1 log-server.c
*** log-server.c 2001/01/15 09:07:44 1.1
--- log-server.c 2001/01/25 05:56:57
***************
*** 122,127 ****
--- 122,140 ----
#define MSGBUFSIZ 1024
+ /* CI: verbose tag to show the difference between the internal
+ priority level and the syslog priority.
+
+ */
+ #if 0
+ #define TAGSTR(orig,pri) orig
+ #else
+ /* Verbose:
+ * ssh_internal_name(priority)
+ */
+ #define TAGSTR(orig,pri) orig "(" pri ")"
+ #endif
+
void
do_log(LogLevel level, const cAr *fmt, va_list args)
{
***************
*** 133,169 ****
if (level > log_level)
return;
switch (level) {
- case SYSLOG_LEVEL_ERROR:
- txt = "error";
- pri = LOG_ERR;
- break;
case SYSLOG_LEVEL_FATAL:
! txt = "fatal";
pri = LOG_ERR;
break;
case SYSLOG_LEVEL_INFO:
case SYSLOG_LEVEL_VERBOSE:
pri = LOG_INFO;
break;
case SYSLOG_LEVEL_DEBUG1:
! txt = "debug1";
pri = LOG_DEBUG;
break;
! case SYSLOG_LEVEL_DEBUG2:
! txt = "debug2";
pri = LOG_DEBUG;
break;
case SYSLOG_LEVEL_DEBUG3:
! txt = "debug3";
pri = LOG_DEBUG;
break;
default:
! txt = "internal error";
pri = LOG_ERR;
break;
}
if (txt != NULL) {
! snprintf(fmtbuf, sizeof(fmtbuf), "%s: %s", txt, fmt);
vsnprintf(msgbuf, sizeof(msgbuf), fmtbuf, args);
} else {
vsnprintf(msgbuf, sizeof(msgbuf), fmt, args);
--- 146,187 ----
if (level > log_level)
return;
switch (level) {
case SYSLOG_LEVEL_FATAL:
! /* CI: ssh_internal_name(priority) */
! txt = TAGSTR("fatal", "CRIT"); /* CI */
! pri = LOG_CRIT;
! break;
! case SYSLOG_LEVEL_ERROR:
! txt = TAGSTR("error", "ERR"); /* CI */
pri = LOG_ERR;
break;
case SYSLOG_LEVEL_INFO:
+ txt = TAGSTR("info", "NOTICE"); /* CI */
+ pri = LOG_NOTICE;
+ break;
case SYSLOG_LEVEL_VERBOSE:
+ txt = TAGSTR("verbose", "INFO"); /* CI */
pri = LOG_INFO;
break;
case SYSLOG_LEVEL_DEBUG1:
! txt = TAGSTR("debug1", "DEBUG"); /* CI */
pri = LOG_DEBUG;
break;
! case SYSLOG_LEVEL_DEBUG2:
! txt = TAGSTR("debug2", "DEBUG"); /* CI */
pri = LOG_DEBUG;
break;
case SYSLOG_LEVEL_DEBUG3:
! txt = TAGSTR("debug3", "DEBUG"); /* CI */
pri = LOG_DEBUG;
break;
default:
! txt = TAGSTR("internal error", "ERR"); /* CI
*/
pri = LOG_ERR;
break;
}
if (txt != NULL) {
! snprintf(fmtbuf, sizeof(fmtbuf), "%.16s: %s", txt,
fmt);
vsnprintf(msgbuf, sizeof(msgbuf), fmtbuf, args);
} else {
vsnprintf(msgbuf, sizeof(msgbuf), fmt, args);
==================================================================
The above would generate the following
sshd log lines.
Feb 11 23:06:23 A sshd[1225]: info(NOTICE): Generating new 768 bit RSA
key.
Feb 11 23:06:23 A sshd[1225]: info(NOTICE): Generating new 768 bit RSA
key.
Feb 11 23:06:26 A sshd[1225]: info(NOTICE): RSA key generation complete.
Feb 11 23:06:26 A sshd[1225]: info(NOTICE): RSA key generation complete.
Feb 11 23:13:21 A sshd[17947]: verbose(INFO): Connection from
192.168.1.10 port 43027
Feb 11 23:13:31 A sshd[17947]: info(NOTICE): Accepted password for gnu
from 192.168.1.10 port 43027
Feb 11 23:13:31 A sshd[17947]: info(NOTICE): Accepted password for gnu
from 192.168.1.10 port 43027
Feb 11 23:20:02 A sshd[17947]: verbose(INFO): Connection closed by
remote host.
Feb 11 23:21:56 A sshd[18336]: verbose(INFO): Connection from
192.168.1.10 port 43045
Feb 11 23:21:59 A sshd[18336]: info(NOTICE): Accepted password for gnu
from 192.168.1.10 port 43045
Feb 11 23:21:59 A sshd[18336]: info(NOTICE): Accepted password for gnu
from 192.168.1.10 port 43045
Feb 11 23:32:45 A sshd[18336]: verbose(INFO): Connection closed by
remote host.
Feb 11 23:35:45 A sshd[18571]: verbose(INFO): Connection from
192.168.1.10 port 43057
Feb 11 23:35:49 A sshd[18571]: info(NOTICE): Accepted password for gnu
from 192.168.1.10 port 43057
Feb 11 23:35:49 A sshd[18571]: info(NOTICE): Accepted password for gnu
from 192.168.1.10 port 43057
Feb 11 23:38:43 A sshd[18571]: verbose(INFO): Connection closed by
remote host.