since the rewrite of the of the syslog config in the cli, anything gets logged to /var/log/messages. The config in the cli dictates the verbosity, systemd forwards everything (level debug).
So, successful authentication as well as failed authentication ends up in messages too, along with anything else.
That is the issue in ⚓ T963 no authorization logs.
So, generally if a user wants to debug authentication he/she needs to increase the level from currently notice to debug anyway, so why not filtering it to a different file then as well?
Once not needed anymore the config can be reverted by the user.
That would mean the removal of the op command ‘show log auth’ since it expects the content in /var/log/auth.
The other option would be to log to auth again to get the op command working, which results in the issue that you have the data logged to messages and auth. That behavior was broken in 1.1 already and duplicated messages were created.
I’d like to gather your opinions on that to come to a decision how we should deal with it in the future.
(I gotta check the documentation to see if it needs an update making then clear what is expected vs. unexpected behavior).
In fact, we already have logs in multiple places. Systemd have own logs database. Maybe we can use for this task journalctl?
root@vyos:/home/vyos# journalctl SYSLOG_IDENTIFIER=login + _SYSTEMD_UNIT="ssh.service"
-- Logs begin at Mon 2018-10-29 08:44:47 EET, end at Wed 2018-11-07 00:10:24 EET. --
Oct 29 08:44:56 vyos sshd[2599]: Server listening on 0.0.0.0 port 22.
Oct 29 08:44:56 vyos sshd[2599]: Server listening on :: port 22.
Oct 29 08:45:04 vyos sshd[2816]: Accepted password for vyos from 192.168.20.211 port 51042 ssh2
Oct 29 08:45:04 vyos sshd[2816]: pam_unix(sshd:session): session opened for user vyos by (uid=0)
Nov 06 23:54:31 vyos sudo[3099]: vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/bin/bash
Nov 06 23:54:31 vyos sudo[3099]: pam_unix(sudo:session): session opened for user root by vyos(uid=0)
Nov 07 00:02:38 vyos login[2812]: pam_unix(login:session): session opened for user vyos by LOGIN(uid=0)
Nov 07 00:07:49 vyos login[2812]: pam_unix(login:session): session closed for user vyos
Nov 07 00:08:55 vyos sshd[3955]: Accepted password for vyos from 192.168.20.211 port 51200 ssh2
Nov 07 00:08:55 vyos sshd[3955]: pam_unix(sshd:session): session opened for user vyos by (uid=0)
Nov 07 00:10:21 vyos sshd[4105]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.20.211 user=vyos
Nov 07 00:10:23 vyos sshd[4105]: Failed password for vyos from 192.168.20.211 port 51236 ssh2
Nov 07 00:10:24 vyos sshd[4105]: Connection closed by 192.168.20.211 [preauth]
Yeah, looks like it’s gonna be the way to go. I could also pull into rsyslog via imjournal, but it would mean the same content in different files. I’ll check it out. I think if systemd can forward syslog messages, it should be able to do it via udp/tcp too, which means that no syslogd would be required anymore.
Thanks for your hint, sometimes it’s hard to see the wood because of the trees
