Hildegard Meier
2021-Sep-21 09:49 UTC
Howto log multiple sftpd instances with their chroot shared via NFS
OpenSSH 5.9p1 + 7.6p1
syslog-ng 3.3.4 + 3.13.2
Hello, having an Ubuntu server with sftpd running where /var/data/chroot/ is an
NFS mount from a remote central NFS server,
and each sftpd user's chroot home is /var/data/chroot/<username>/
and every user has a log device /var/data/chroot/<username>/dev/log which
I read in successfully with syslog-ng:
source s_chroot_<username> {
unix-stream("/var/data/chroot/<username>/dev/log" optional(yes)
); };
destination d_sftp_<username> {
file("/var/log/sftp/<username>.log"); };
log { source(s_chroot_<username>); destination(d_sftp_<username>);
};
Now I have a second sftpd server in parallel, with the same user database and
also mounts /var/data/chroot/ via NFS, and has the same syslog-ng config,
so every user can login on the one server or on the other. This is for high
availability. This works so far.
What is not working now is the sftpd logging: The sftp user's log is only
available on one sftp server exclusively, and that is the one where syslog-ng
was started least,
because as I understand it takes the exclusive unix socket file lock for each
user's /dev/log.
So, if a user logs in on the first server, where syslog-ng was started least,
the user's sftp activity is logged on the first server.
But if the user logs in on the second server, it's sftp activity is not
logged, neither on the second nor on the first server.
If the syslog-ng is then restarted on the second server, the sftp user's
activity is exclusively logged only on the second server and only for logins on
the second server.
How can I get the sftp user's activity be logged on each sftp server, when a
user logs in to that server, while the user's home is shared on both servers
via NFS?
Thanks
Crossposting (because unanswered)
https://unix.stackexchange.com/questions/666641/howto-log-multiple-sftpd-servers-activity-which-users-chrooted-home-is-on-shar
Damien Miller
2021-Sep-22 07:19 UTC
Howto log multiple sftpd instances with their chroot shared via NFS
On Tue, 21 Sep 2021, Hildegard Meier wrote:> OpenSSH 5.9p1 + 7.6p1 > > syslog-ng 3.3.4 + 3.13.2 > > Hello, having an Ubuntu server with sftpd running where /var/data/chroot/ is an NFS mount from a remote central NFS server, > and each sftpd user's chroot home is /var/data/chroot/<username>/ > and every user has a log device /var/data/chroot/<username>/dev/log which I read in successfully with syslog-ng: > > source s_chroot_<username> { unix-stream("/var/data/chroot/<username>/dev/log" optional(yes) ); }; > destination d_sftp_<username> { file("/var/log/sftp/<username>.log"); }; > log { source(s_chroot_<username>); destination(d_sftp_<username>); }; > > Now I have a second sftpd server in parallel, with the same user database and also mounts /var/data/chroot/ via NFS, and has the same syslog-ng config, > so every user can login on the one server or on the other. This is for high availability. This works so far. > > What is not working now is the sftpd logging: The sftp user's log is only available on one sftp server exclusively, and that is the one where syslog-ng was started least, > because as I understand it takes the exclusive unix socket file lock for each user's /dev/log. > > So, if a user logs in on the first server, where syslog-ng was started least, the user's sftp activity is logged on the first server. > But if the user logs in on the second server, it's sftp activity is not logged, neither on the second nor on the first server. > > If the syslog-ng is then restarted on the second server, the sftp user's activity is exclusively logged only on the second server and only for logins on the second server. > > How can I get the sftp user's activity be logged on each sftp server, when a user logs in to that server, while the user's home is shared on both servers via NFS?Right now there is no solution for this inside OpenSSH. There have been some proposals for post-auth logging to be proxied via the priviledged sshd monitor process but we haven't pursued them yet. Maybe someone with more Linux/NFS wit could suggest an OS-side solution for you? -d
Darren Tucker
2021-Sep-22 09:38 UTC
Howto log multiple sftpd instances with their chroot shared via NFS
On Tue, 21 Sept 2021 at 19:58, Hildegard Meier <daku8938 at gmx.de> wrote: [...]> Now I have a second sftpd server in parallel, with the same user database > and also mounts /var/data/chroot/ via NFS[...]> How can I get the sftp user's activity be logged on each sftp server, when > a user logs in to that server, while the user's home is shared on both > servers via NFS? >Mount a tiny local ramfs or tmpfs over /var/data/chroot/dev? -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Douglas E Engert
2021-Sep-24 14:08 UTC
Howto log multiple sftpd instances with their chroot shared via NFS
On 9/21/2021 4:49 AM, Hildegard Meier wrote:> > How can I get the sftp user's activity be logged on each sftp server, when a user logs in to that server, while the user's home is shared on both servers via NFS?based on: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.18/administration-guide/88 This might work for a few sftp servers. On first server, hostname1, use /dev/<hostname1>/log for all its default logging and its normal syslog-ng.conf and for the special syslog-ng.conf: source s_chroot_<username> { unix-stream("/var/data/chroot/<username>/dev/hostname1/log" optional(yes) ); }; (May need to add a symlink on each host /dev/log->/dev/<hostname1>/log) Do the above for second server, hostname2, use /dev/<hostname2>/log Then add these to the chroot directories in NFS: /var/data/chroot/<username>/dev/<hostname1>/log /var/data/chroot/<username>/dev/<hostname2>/log This should cause hostname1 to lock on /var/data/chroot/<username>/dev/<hostname1>/log and hostname 2 to lock on /var/data/chroot/<username>/dev/<hostname2>/log because the syslog-ng does not really look at the syslog-ng.conf in the chroot.> > Thanks > > Crossposting (because unanswered) > https://unix.stackexchange.com/questions/666641/howto-log-multiple-sftpd-servers-activity-which-users-chrooted-home-is-on-shar > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >-- Douglas E. Engert <DEEngert at gmail.com>