# setup syslog-ng for sshd

## nouse66

can someone tell me how to setup syslog-ng to log sshd stuff to /var/log/sshd instead of /var/log/messages?

thanks!

----------

## tdemarest

OpenSSH defaults to logging to facility AUTH and level INFO. You can change this in /etc/ssh/sshd_config. Using OpenSSH's defaults, add/change the following in /etc/syslog-ng/syslog-ng.conf to log to the file /var/log/sshd:

```

destination authlog { file("/var/log/sshd"); };

filter f_auth { facility(auth); };

log { source(src); filter(f_auth); destination(authlog); };

```

You will need to locate the line in your syslog-ng.conf that currently has AUTH facility logging to /var/log/messages, and modify it.

Note that this will log anything that uses the AUTH facility, not just ssh. If you want to segregate just ssh to /var/log/sshd, you might want to change the facility to something like LOCAL6 in /etc/ssh/sshd_config, then restart sshd. Accordingly, you will need to edit the above code example (especially the facility(auth); section) and replace with whatever facility you decide upon.

----------

## nouse66

thanks, that worked great.

here's what i did exactly in case anyone else wants to duplicate...

changed sshd_config to include:

```
SyslogFacility LOCAL6
```

added the following to syslog-ng.conf:

```

destination sshdlog { file("/var/log/sshd"); };

filter f_sshd { facility(local6); };

log { source(src); filter(f_sshd); destination(sshdlog); };

```

----------

## nouse66

btw...

i just used local 6 because you suggested it.  how can i find out which are being used on my system?  there's no other facilities or filters listed in my syslog-ng.conf

----------

## tdemarest

Glad to hear it worked.

Figuring out what is logging where isn't so easy. You have to look at each application's config file to determine where they log to, or if logging is enabled by default. You can also read the man page for the process in question. Another approach is to define logging for all of the facilities, and see what applications are logging to the files you define.

You could always run a tcpdump on port 514 (syslog) to see what remote systems, if any, are logging to your machine.

----------

