search

PowerShell / Win32-OpenSSH

Win32 port of OpenSSH
7.44k stars 762 forks source link

OpenSSH EventLogs are Empty #1575

Closed NealWalters closed 4 years ago

NealWalters commented 4 years ago

"OpenSSH for Windows" version 7.9p1 for Windows

Server OperatingSystem ((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows nt\CurrentVersion\" -Name ProductName).ProductName)

Client OperatingSystem Win 2012/R2

What is failing In EventViewer, I can see OpenSSH with three Logs (Admin, Opeational, and Debug), but they are all empty.

sshd_config is configured as follows:

Logging

SyslogFacility AUTH

SyslogFacility LOCAL0 LogLevel DEBUG3

File logging is working fine.

Can you clarify if logging can be different for file vs eventLog. Can both be on at the same time? Am I missing a config parm to cause the data to be written to the EventLog?

I did of course read this page: https://github.com/PowerShell/Win32-OpenSSH/wiki/Logging-Facilities

Expected output Should see some event in the OpenSSH EventLogs.

Actual output OpenSSH EventLogs are empty.

bagajjal commented 4 years ago

sshd_config is configured as follows:

Logging

SyslogFacility AUTH

SyslogFacility LOCAL0 LogLevel DEBUG3

This means you are writing the logs to a log file (%programdata%\ssh\logs\sshd.log)

bagajjal commented 4 years ago

If you comment the SyslogFacility and restart the sshd service (net stop sshd;net start sshd) then the logs will be written to Eventlogs.

More on this here

NealWalters commented 4 years ago

I referenced that link in my original question/issue. That page is very vague. I do see a little sentence at the top that says "In v7.6.1.0 and later, ETW logging is added and is the default."

So is the following a true statement? Logging is done to the Windows EventLog unless you include the "SyslogFacility' statement in the sshd_config file, in which case the logging will be done to disk.

Do you have any doc page that shows the legal values for SyslogFacility?

Are you config parameters more or less the same as Unix versions; so when your documentation is lacking, can I use the documentation of sites such as these? https://success.trendmicro.com/solution/TP000086250-What-are-Syslog-Facilities-and-Levels https://www.freebsd.org/cgi/man.cgi?sshd_config(5)

Thanks, Neal

bagajjal commented 4 years ago

So is the following a true statement? Logging is done to the Windows EventLog unless you include the "SyslogFacility' statement in the sshd_config file, in which case the logging will be done to disk.

Yes. It's true. By default logging is ETW. If you specify syslogFacility to Local0 it will be logged to a file.

Do you have any doc page that shows the legal values for SyslogFacility?

SyslogFacility makes more sense for *NIX (Unix/Linux) environment. For windows just use only local0.