Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 8630

Summary: syslog doesn't log ssh after upgrade
Product: [Retired] Red Hat Linux Reporter: jrs
Component: sysklogdAssignee: Bill Nottingham <notting>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0CC: jrs, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-02-01 19:37:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description jrs 2000-01-19 19:25:47 UTC 
Equipment: P133 running RH6.0 with a custom 2.2.10 kernel.

I recently installed several of the security patches for 6.0,
including  sysklogd-1.3.31-14. I followed the directions
carefully, but after restarting syslog, I found that it stopped
logging all ssh activity. The syslog continued to run (an
excerpt from /var/log/messages is provided below).

I found previous reports of this sort of behavior in Bugzilla,
but only for older 5.x versions of RH, and older versions of sysklogd.

Although it is almost always the wrong solution, I decided to see
if a reboot would cure the problem. It did.

It makes me suspect that there is a bug in one of the /etc/rc.d/init.d
scripts. For example, maybe another daemon (or maybe just sshd) needs
to be restarted when syslog gets restarted?

FYI: I am running ssh-1.2.27, compiled from source.
The contents of my default startups in /etc/rc.d/rc3.d:
K10xntpd
K20rusersd
K20rwhod
K55routed
K85netfs
S10network
S11portmap
S20random
S30syslog
S40atd
S40crond
S50inet
S60lpd
S60nfs
S60rstatd
S75keytable
S80sendmail
S85gpm
S85sound
S90xfs
S99local

Here's an extract from the log at the time of the upgrade

Jan 11 12:44:10 falstaff sshd[489]: log: Generating new 768 bit RSA key.
Jan 11 12:44:12 falstaff sshd[489]: log: RSA key generation complete.
Jan 11 12:47:10 falstaff kernel: Kernel logging (proc) stopped.
Jan 11 12:47:10 falstaff kernel: Kernel log daemon terminating.
Jan 11 12:47:11 falstaff syslog: klogd shutdown succeeded
Jan 11 12:47:12 falstaff exiting on signal 15
Jan 11 12:47:13 falstaff syslogd 1.3-3: restart.
Jan 11 12:47:13 falstaff syslog: syslogd startup succeeded
Jan 11 12:47:13 falstaff syslog: klogd startup succeeded
Jan 11 12:47:13 falstaff kernel: klogd 1.3-3, log source = /proc/kmsg
started.
Jan 11 12:47:13 falstaff kernel: Inspecting /boot/System.map
Jan 11 12:47:14 falstaff kernel: Loaded 6563 symbols from /boot/System.map.
Jan 11 12:47:14 falstaff kernel: Symbols match kernel version 2.2.10.
Jan 11 12:47:14 falstaff kernel: Loaded 98 symbols from 6 modules.
Jan 11 12:51:43 falstaff lpd: lpd shutdown succeeded
Jan 11 12:51:44 falstaff lpd: lpd startup succeeded
Jan 12 11:06:08 falstaff PAM_pwdb[4848]: (su) session opened for user root
by jrs(uid=500)

There was plenty of (unlogged) ssh on this box at this time. As I said,
a reboot cured the problem, but my experience suggests that there's
still a bug somewhere that needs to be squashed.
Comment 1 Bill Nottingham 2000-01-21 06:23:59 UTC 
When you say that you compiled ssh from source, it is *not* a version
compiled against libc5, correct?
Comment 2 Bill Nottingham 2000-02-01 19:37:59 UTC 
*** This bug has been marked as a duplicate of 7214 ***
Comment 3 jrs 2000-02-01 19:53:59 UTC 
Yes, ssh-1.2.27 is compiled against libc6.

I'm not so sure that this is really a duplicate of 7214.
My sendmail (which came from the RH6.0 rpm) continued logging.

When I repeated the experiment on an identically configured
AMD K6-3 box, I found that after upgrading sysklogd, I was
able to get sshd to resume logging simply by kicking it:

  kill -s SIGHUP <pid of currently running sshd>