A syslog-ng message correlation example

Posted Mar 7, 2012 19:27 UTC (Wed) by larsks (guest, #61120)
Parent article: A syslog-ng message correlation example

The problem with this example is that most modern sshd installations will not have the same process id for the "Accepted" message and the "Received disconnect" message due the use of privilege separation. For example:

Mar 7 14:19:29 login.example.com [authpriv:info] sshd[2671]: Accepted publickey for lars from 10.243.18.22 port 36265 ssh2
Mar 7 14:19:31 login.example.com [authpriv:info] sshd[2673]: Received disconnect from 10.243.18.22: 11: disconnected by user

So while these messages *should* be correlated, they don't provide enough data in order to do so. I think the problem here is primarily with OpenSSH. For example, if the disconnect message also included the port number, that could be used to match it with the corresponding Accepted... message.

A syslog-ng message correlation example

Posted Mar 7, 2012 21:28 UTC (Wed) by mp (subscriber, #5615) [Link] (1 responses)

But this example correlates the "Accepted" message with the "session closed" one, and they seem to come from the same process under privilege separation.

A syslog-ng message correlation example

Posted Aug 8, 2013 13:12 UTC (Thu) by faxm0dem (guest, #92265) [Link]

In my installation, the PID of the "Accepted password for" message is logged.
However, the PID of the "pam_unix(sshd:session)" message is not available.
So using scope=process doesn't work.
Using scope=program does, but will mix unrelated sessions.