On Sat 11 Sep 2021 at 16:02:30 (-0400), Greg Wooledge wrote: > On Sat, Sep 11, 2021 at 02:44:13PM -0500, David Wright wrote: > > As I understood the OP's first reply (to yourself), there are > > remote logs available, not logged locally but sent by email: > > > > "/usr/sbin/logwatch --detail low --mailto x...@domain.com" > > I don't know anything about logwatch. But if your premise is correct, > and logs are being collected onto a central machine and then processed > and ending up in the central machine's /var/log/syslog file, that > would be equivalent to having syslog() and syslogd set up for remote > logging -- just with extra steps and delays.
Yes, I don't know whether that's possible or not. > This would certainly explain how sshd startup complaints from machine X > are ending up in the /var/log/syslog file on machine Y. > > You'd think the OP would know about this, if they did in fact set up > such a thing. If that's what's happening, I'd agree. But after a gap of a month, a /var/log/syslog extract from who knows where, and the introduction of containers into the mix, I haven't really bothered to follow how their machine(s) is/are configured. The info is too piecemeal. Are X and Y parts of the same machine? I was under the impression that some information about a client's configuration might be read by the server (a lot with DEBUG3), and logged. It is, but those configuration options are not amongst it. Cheers, David.
