Restore logging of SSH logins

Oct 14, '05 06:03:00AM

Contributed by: kd4ttc

Tiger only hintWith the release of 10.4, Apple has changed logging for ssh. I used to keep an eye on break-in attempts to my home computer (see this hint), which has SSH login enabled so I can log in from work.

After I installed Tiger, I didn't see any more attacks, which was quite odd. After some digging, I found that Apple is changing the logfile system, and plans for further changes in the future (see man syslogd for a bit more detail). The upshot of all this is that to get a service to log correctly, an entry is needed in the file /etc/syslog.conf, which is documented in the syslog.conf help file (man syslog.conf). The short of it is that you need to look at the file /etc/sshd_config, and find the logging section. There you should see this:

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
This shows you sshd's log settings, which you need for the next step. Edit the file /etc/syslog.conf with some text editor (and sudo) and change this line (the second line in the file):
*.notice;authpriv,remoteauth,ftp,install.none;kern.debug;mail.crit
  /var/log/system.log
You need to add ;auth.info immediately after mail.crit (before the Tab that preceeds the /var/log... bit). Save the file and either reboot (ugly) or restart the syslog daemon with this command: sudo kill -HUP `cat /var/run/syslog.pid` What you have done is added a directive to syslog.conf to inform syslogd that log requests from auth at level info and above should be logged in the system log file. Then you signaled syslogd to reload the configurations (those are back ticks (the key just under the esc key)). Presto, login attempts are now back in the system log.

[robg adds: I wrapped the long code line above for a narrower display. In the original file, the /var/log bit appears after a Tab at the end of the line. Do not add a line break if you edit this file! I tested this, and it worked -- as soon as I made the change and restarted the daemon, the login attempts started showing up again.]

Comments (8)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20051012162448301