Package: dsyslog Version: 0.6.0+b1 Severity: normal
condition pattern { facility "auth*"; }; I think that the above directive is supposed to send auth and authpriv to /var/log/auth.log The experience on my system was that using pattern { facility "auth*"; } did not log ssh failures to /var/log/auth.log The attached diff gives the final solution I came to in detail but I might elaborate here also. Changing the condition pattern to be instead: condition literal { facility auth; }; would have some but not all ssh failure logging going to /var/log/auth.log To ensure authpriv goes to /var/log/auth.log aswell I then added output file { path "/var/log/auth.log"; condition literal { facility authpriv; }; }; And that almost did the job but some messages were still not making it into /var/log/auth.log so I added a final line: output file { path "/var/log/auth.log"; condition literal { program sshd; }; }; The end result was that output file /var/log/auth.log is defined 3 times (repeated definition of output file is okay I think) in order to achieve the original intention of default dsyslog.conf in condition pattern { facility "auth*"; }; I have two Desktops and two servers running squeeze and will be happy to retest things if further examples are beneficial. I like dsyslog and am very grateful to the package maintainer for making it available in Debian. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.18-194.3.1.el5xen (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages dsyslog depends on: ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib ii libglib2.0-0 2.24.1-1 The GLib library of C routines ii libgnutls26 2.8.6-1 the GNU TLS library - runtime libr Versions of packages dsyslog recommends: ii logrotate 3.7.8-6 Log rotation utility Versions of packages dsyslog suggests: pn dsyslog-module-gnutls <none> (no description available) pn dsyslog-module-mysql <none> (no description available) pn dsyslog-module-postgresql <none> (no description available) -- Configuration Files: /etc/dsyslog.conf changed: /* * dsyslog example config for Debian. * * Comments are either C-style (like this block), C++ style (//) or * shell style (#). * * This file serves to be a drop-in replacement for most sites using * sysklogd. For the uninitiated, dsyslog creates a series of streams * which go from sources and get routed to many sinks. In between, there * are filters, which act on all messages, and conditionals, which control * whether or not an output accepts that message. This can be compared to * for example syslog-ng's architecture. * * So, it's a little different than traditional sysklogd. */ /* * loadmodule controls what modules are loaded into dsyslog. */ loadmodule "source_localsock.so"; loadmodule "source_mark.so"; loadmodule "source_klogfile.so"; loadmodule "source_udp.so"; loadmodule "filter_dropprog.so"; loadmodule "filter_droppriority.so"; loadmodule "filter_regexp.so"; loadmodule "output_file.so"; loadmodule "output_udp.so"; loadmodule "cond_literal.so"; loadmodule "cond_pattern.so"; /* * sources define where dsyslog gets it's data: * this one adds the syslogd socket. */ source localsock { path "/dev/log"; }; /* * this one adds the kernel log buffer, /proc/kmsg. */ source klogfile { path "/proc/kmsg"; }; /* * this one adds a source that generates "-- MARK --" which * runs on a timer. it is for those who found that feature useful * in syslogd. */ source mark; /* * this one adds a udp listener. as such it's commented out. */ /* * you can use the dropprog filter to drop syslog messages * from programs you don't care about entirely. for example, * to drop logs from NetworkManager, uncomment the line below. */ /* * you can also use the droppriority filter to drop syslog messages by * BSD syslog facility and severity. At present, you must specify both. */ /* * you can also filter by regexp; thanks to micah for the regexp. * if enabled, this will replace all IPv4 IPs in your logs with 0.0.0.0. * * in some countries, it is recommended to do this, and infact is generally * considered a best practice. in several countries (USA, UK, etc), ip addresses * are seen as personal data and are covered under privacy protection laws. * by filtering them, you may not be subject to those laws. */ output file { path "/var/log/auth.log"; condition literal { facility auth; }; }; output file { path "/var/log/auth.log"; condition literal { facility authpriv; }; }; output file { path "/var/log/auth.log"; condition literal { program sshd; }; }; output file { path "/var/log/syslog"; condition pattern { facility "!auth*"; }; }; output file { path "/var/log/cron.log"; condition literal { facility cron; }; }; output file { path "/var/log/daemon.log"; condition literal { facility daemon; }; }; output file { path "/var/log/kern.log"; condition literal { facility kernel; }; }; output file { path "/var/log/lpr.log"; condition literal { facility lpr; }; }; output file { path "/var/log/mail.log"; condition literal { facility mail; }; }; output file { path "/var/log/user.log"; condition literal { facility user; }; }; output file { path "/var/log/messages"; condition literal { facility !kernel; }; }; /* * MySQL example. You need dsyslog-module-mysql installed for this. */ /* * PostgreSQL example. You need dsyslog-module-postgresql installed for this. */ -- no debconf information
85,86c85 < # condition pattern { facility "auth*"; }; < condition literal { facility auth; }; --- > condition pattern { facility "auth*"; }; 88,89d86 < output file { path "/var/log/auth.log"; condition literal { facility authpriv; }; }; < output file { path "/var/log/auth.log"; condition literal { program sshd; }; };