Red Hat Bugzilla – Bug 8630
syslog doesn't log ssh after upgrade
Last modified: 2014-03-16 22:12:11 EDT
Equipment: P133 running RH6.0 with a custom 2.2.10 kernel.
I recently installed several of the security patches for 6.0,
including sysklogd-1.3.31-14. I followed the directions
carefully, but after restarting syslog, I found that it stopped
logging all ssh activity. The syslog continued to run (an
excerpt from /var/log/messages is provided below).
I found previous reports of this sort of behavior in Bugzilla,
but only for older 5.x versions of RH, and older versions of sysklogd.
Although it is almost always the wrong solution, I decided to see
if a reboot would cure the problem. It did.
It makes me suspect that there is a bug in one of the /etc/rc.d/init.d
scripts. For example, maybe another daemon (or maybe just sshd) needs
to be restarted when syslog gets restarted?
FYI: I am running ssh-1.2.27, compiled from source.
The contents of my default startups in /etc/rc.d/rc3.d:
Here's an extract from the log at the time of the upgrade
Jan 11 12:44:10 falstaff sshd: log: Generating new 768 bit RSA key.
Jan 11 12:44:12 falstaff sshd: log: RSA key generation complete.
Jan 11 12:47:10 falstaff kernel: Kernel logging (proc) stopped.
Jan 11 12:47:10 falstaff kernel: Kernel log daemon terminating.
Jan 11 12:47:11 falstaff syslog: klogd shutdown succeeded
Jan 11 12:47:12 falstaff exiting on signal 15
Jan 11 12:47:13 falstaff syslogd 1.3-3: restart.
Jan 11 12:47:13 falstaff syslog: syslogd startup succeeded
Jan 11 12:47:13 falstaff syslog: klogd startup succeeded
Jan 11 12:47:13 falstaff kernel: klogd 1.3-3, log source = /proc/kmsg
Jan 11 12:47:13 falstaff kernel: Inspecting /boot/System.map
Jan 11 12:47:14 falstaff kernel: Loaded 6563 symbols from /boot/System.map.
Jan 11 12:47:14 falstaff kernel: Symbols match kernel version 2.2.10.
Jan 11 12:47:14 falstaff kernel: Loaded 98 symbols from 6 modules.
Jan 11 12:51:43 falstaff lpd: lpd shutdown succeeded
Jan 11 12:51:44 falstaff lpd: lpd startup succeeded
Jan 12 11:06:08 falstaff PAM_pwdb: (su) session opened for user root
There was plenty of (unlogged) ssh on this box at this time. As I said,
a reboot cured the problem, but my experience suggests that there's
still a bug somewhere that needs to be squashed.
When you say that you compiled ssh from source, it is *not* a version
compiled against libc5, correct?
*** This bug has been marked as a duplicate of 7214 ***
Yes, ssh-1.2.27 is compiled against libc6.
I'm not so sure that this is really a duplicate of 7214.
My sendmail (which came from the RH6.0 rpm) continued logging.
When I repeated the experiment on an identically configured
AMD K6-3 box, I found that after upgrading sysklogd, I was
able to get sshd to resume logging simply by kicking it:
kill -s SIGHUP <pid of currently running sshd>