NetWitness Community

AtulChavan · ‎2016-08-19

Hi Guys,

I have integrated RHLinux servers 6.3. I have added entry as *.* @collector in syslog.conf file. With this configuration, all logs should receive at collector end but this is not the case.

Logs from sshd client are not coming in collector. I have checked with server owner that whether there are any rules which may block sshd logs. But there are no such rules present.

What are the possible reasons behind this issue? Please help me with this.

GiuseppeCunsolo · ‎2016-08-19

Hi Atul,

If I understand correctly what you are saying logs from these Red Hat server, in general, are being forwarded successfully to the Log Collector/Log Decoder. But not, in specific, sshd logs.

If this is the case I would first check if syslog.conf contains an entry for /var/log/secure. It could also be the line is commented for example.

Regards,

G.

AtulChavan · ‎2016-08-19

Hi Giuseppe,

I have checked the syslog.conf file. As you can see it is not commented. But its saying authpriv has restricted access.

# The authpriv file has restricted access.
authpriv.* /var/log/secure

Also,I am checking sshd.conf file also. In this file LogLevel INFO is commented. Can it be the reason?

#LogLevel INFO

GiuseppeCunsolo · ‎2016-08-19

Hi Atul,

I am using CentOS in my test. The syslog.conf is pretty standard and yet I got sshd logs through syslog.

Let's step back a moment, are all the other logs from these RH servers showing up correctly?

AtulChavan · ‎2016-08-19

Hi Giuseppe,

Yes, all other logs are showing up correctly.

NaushadKasu1 · ‎2016-08-23

Yes, you need to uncomment the LogLevel INFO line then restart SSHD via 'service sshd restart'.

NetWitness Community

Source IP Missing