Package: dsyslog
Version: 0.6.0+b1
Severity: normal


        condition pattern { facility "auth*"; };

I think that the above directive is supposed to send auth and authpriv
to /var/log/auth.log

The experience on my system was that using pattern { facility "auth*"; }
did not log ssh failures to /var/log/auth.log

The attached diff gives the final solution I came to in detail but I might
elaborate here also.

Changing the condition pattern to be instead:
        condition literal { facility auth; };
would have some but not all ssh failure logging going to /var/log/auth.log

To ensure authpriv goes to /var/log/auth.log aswell I then added
output file {   path "/var/log/auth.log"; condition literal { facility 
authpriv; }; };

And that almost did the job but some messages were still not making it
into /var/log/auth.log so I added a final line:
output file {   path "/var/log/auth.log"; condition literal { program sshd; }; 
};

The end result was that output file /var/log/auth.log is defined 3 times
(repeated definition of output file is okay I think)
in order to achieve the original intention of default dsyslog.conf
in condition pattern { facility "auth*"; };

I have two Desktops and two servers running squeeze and will
be happy to retest things if further examples are beneficial.

I like dsyslog and am very grateful to the package maintainer for
making it available in Debian.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18-194.3.1.el5xen (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages dsyslog depends on:
ii  libc6                         2.11.2-2   Embedded GNU C Library: Shared lib
ii  libglib2.0-0                  2.24.1-1   The GLib library of C routines
ii  libgnutls26                   2.8.6-1    the GNU TLS library - runtime libr

Versions of packages dsyslog recommends:
ii  logrotate                     3.7.8-6    Log rotation utility

Versions of packages dsyslog suggests:
pn  dsyslog-module-gnutls         <none>     (no description available)
pn  dsyslog-module-mysql          <none>     (no description available)
pn  dsyslog-module-postgresql     <none>     (no description available)

-- Configuration Files:
/etc/dsyslog.conf changed:
/*
 * dsyslog example config for Debian.
 *
 * Comments are either C-style (like this block), C++ style (//) or
 * shell style (#).
 *
 * This file serves to be a drop-in replacement for most sites using
 * sysklogd. For the uninitiated, dsyslog creates a series of streams
 * which go from sources and get routed to many sinks. In between, there
 * are filters, which act on all messages, and conditionals, which control
 * whether or not an output accepts that message. This can be compared to
 * for example syslog-ng's architecture.
 *
 * So, it's a little different than traditional sysklogd.
 */
/*
 * loadmodule controls what modules are loaded into dsyslog.
 */
loadmodule "source_localsock.so";
loadmodule "source_mark.so";
loadmodule "source_klogfile.so";
loadmodule "source_udp.so";
loadmodule "filter_dropprog.so";
loadmodule "filter_droppriority.so";
loadmodule "filter_regexp.so";
loadmodule "output_file.so";
loadmodule "output_udp.so";
loadmodule "cond_literal.so";
loadmodule "cond_pattern.so";
/*
 * sources define where dsyslog gets it's data:
 * this one adds the syslogd socket.
 */
source localsock { path "/dev/log"; };
/*
 * this one adds the kernel log buffer, /proc/kmsg.
 */
source klogfile { path "/proc/kmsg"; };
/*
 * this one adds a source that generates "-- MARK --" which
 * runs on a timer. it is for those who found that feature useful
 * in syslogd.
 */
source mark;
/*
 * this one adds a udp listener. as such it's commented out.
 */
/*
 * you can use the dropprog filter to drop syslog messages
 * from programs you don't care about entirely. for example,
 * to drop logs from NetworkManager, uncomment the line below.
 */
/*
 * you can also use the droppriority filter to drop syslog messages by
 * BSD syslog facility and severity. At present, you must specify both.
 */
/*
 * you can also filter by regexp; thanks to micah for the regexp.
 * if enabled, this will replace all IPv4 IPs in your logs with 0.0.0.0.
 *
 * in some countries, it is recommended to do this, and infact is generally
 * considered a best practice. in several countries (USA, UK, etc), ip addresses
 * are seen as personal data and are covered under privacy protection laws.
 * by filtering them, you may not be subject to those laws.
 */
output file {
        path "/var/log/auth.log";
        condition literal { facility auth; };
};
output file {   path "/var/log/auth.log"; condition literal { facility 
authpriv; }; };
output file {   path "/var/log/auth.log"; condition literal { program sshd; }; 
};
output file {
        path "/var/log/syslog";
        condition pattern { facility "!auth*"; };
};
output file {   
        path "/var/log/cron.log";
        condition literal { facility cron; };
};
output file {
        path "/var/log/daemon.log";
        condition literal { facility daemon; };
};
output file {
        path "/var/log/kern.log";
        condition literal { facility kernel; };
};
output file {
        path "/var/log/lpr.log";
        condition literal { facility lpr; };
};
output file {
        path "/var/log/mail.log";
        condition literal { facility mail; };
};
output file {
        path "/var/log/user.log";
        condition literal { facility user; };
};
output file { 
        path "/var/log/messages";
        condition literal { facility !kernel; };
};
/*
 * MySQL example. You need dsyslog-module-mysql installed for this.
 */
/*
 * PostgreSQL example. You need dsyslog-module-postgresql installed for this.
 */


-- no debconf information
85,86c85
< #	condition pattern { facility "auth*"; };
< 	condition literal { facility auth; };
---
> 	condition pattern { facility "auth*"; };
88,89d86
< output file {	path "/var/log/auth.log"; condition literal { facility authpriv; }; };
< output file {	path "/var/log/auth.log"; condition literal { program sshd; }; };

Reply via email to