On Fri, Sep 10, 2021 at 06:10:59PM +0100, Adam Weremczuk wrote: > On 10/09/2021 17:46, Greg Wooledge wrote: > > > Depends on which syslog daemon implementation you're using, I think. > > My environment: Linux deb10 5.4.44-1-pve #1 SMP PVE 5.4.44-1 (Fri, 12 Jun > 2020 08:18:46 +0200) x86_64 GNU/Linux > > Pretty minimalistic set up. > > Rsyslog 8.1901.0-1 out of the box, no customisation at all.
It's not a buster kernel, but that's OK. That is buster's version of rsyslog, so that checks out. The top page of /etc/rsyslog.conf has (by default) commented-out lines like: # provides UDP syslog reception #module(load="imudp") #input(type="imudp" port="514") # provides TCP syslog reception #module(load="imtcp") #input(type="imtcp" port="514") If these are still commented out on your system, then this mystery just got a lot more mysterious. Um... Is your /var/log directory being shared with any other hosts, in any way? NFS, Samba, sshfs, who knows what else. I'm wondering *WHICH HOST* is writing these syslog entries to your file. Hmm... A piece of your original email says: Aug 28 10:12:30 deb10 sshd[145]: /etc/ssh/sshd_config line 25: Deprecated option UsePrivilegeSeparation So, it *claims* that it's being written by the host "deb10". (You're not reusing this hostname on any other instances, are you?) I wonder if it's tcpdump time yet. Try to capture the syslog traffic from the network, and see where it's coming from?
