Equipment: P133 running RH6.0 with a custom 2.2.10 kernel. I recently installed several of the security patches for 6.0, including sysklogd-1.3.31-14. I followed the directions carefully, but after restarting syslog, I found that it stopped logging all ssh activity. The syslog continued to run (an excerpt from /var/log/messages is provided below). I found previous reports of this sort of behavior in Bugzilla, but only for older 5.x versions of RH, and older versions of sysklogd. Although it is almost always the wrong solution, I decided to see if a reboot would cure the problem. It did. It makes me suspect that there is a bug in one of the /etc/rc.d/init.d scripts. For example, maybe another daemon (or maybe just sshd) needs to be restarted when syslog gets restarted? FYI: I am running ssh-1.2.27, compiled from source. The contents of my default startups in /etc/rc.d/rc3.d: K10xntpd K20rusersd K20rwhod K55routed K85netfs S10network S11portmap S20random S30syslog S40atd S40crond S50inet S60lpd S60nfs S60rstatd S75keytable S80sendmail S85gpm S85sound S90xfs S99local Here's an extract from the log at the time of the upgrade Jan 11 12:44:10 falstaff sshd[489]: log: Generating new 768 bit RSA key. Jan 11 12:44:12 falstaff sshd[489]: log: RSA key generation complete. Jan 11 12:47:10 falstaff kernel: Kernel logging (proc) stopped. Jan 11 12:47:10 falstaff kernel: Kernel log daemon terminating. Jan 11 12:47:11 falstaff syslog: klogd shutdown succeeded Jan 11 12:47:12 falstaff exiting on signal 15 Jan 11 12:47:13 falstaff syslogd 1.3-3: restart. Jan 11 12:47:13 falstaff syslog: syslogd startup succeeded Jan 11 12:47:13 falstaff syslog: klogd startup succeeded Jan 11 12:47:13 falstaff kernel: klogd 1.3-3, log source = /proc/kmsg started. Jan 11 12:47:13 falstaff kernel: Inspecting /boot/System.map Jan 11 12:47:14 falstaff kernel: Loaded 6563 symbols from /boot/System.map. Jan 11 12:47:14 falstaff kernel: Symbols match kernel version 2.2.10. Jan 11 12:47:14 falstaff kernel: Loaded 98 symbols from 6 modules. Jan 11 12:51:43 falstaff lpd: lpd shutdown succeeded Jan 11 12:51:44 falstaff lpd: lpd startup succeeded Jan 12 11:06:08 falstaff PAM_pwdb[4848]: (su) session opened for user root by jrs(uid=500) There was plenty of (unlogged) ssh on this box at this time. As I said, a reboot cured the problem, but my experience suggests that there's still a bug somewhere that needs to be squashed.
When you say that you compiled ssh from source, it is *not* a version compiled against libc5, correct?
*** This bug has been marked as a duplicate of 7214 ***
Yes, ssh-1.2.27 is compiled against libc6. I'm not so sure that this is really a duplicate of 7214. My sendmail (which came from the RH6.0 rpm) continued logging. When I repeated the experiment on an identically configured AMD K6-3 box, I found that after upgrading sysklogd, I was able to get sshd to resume logging simply by kicking it: kill -s SIGHUP <pid of currently running sshd>