On Sat, Sep 11, 2021 at 02:44:13PM -0500, David Wright wrote: > As I understood the OP's first reply (to yourself), there are > remote logs available, not logged locally but sent by email: > > "/usr/sbin/logwatch --detail low --mailto x...@domain.com"
I don't know anything about logwatch. But if your premise is correct, and logs are being collected onto a central machine and then processed and ending up in the central machine's /var/log/syslog file, that would be equivalent to having syslog() and syslogd set up for remote logging -- just with extra steps and delays. This would certainly explain how sshd startup complaints from machine X are ending up in the /var/log/syslog file on machine Y. You'd think the OP would know about this, if they did in fact set up such a thing.
