Why no sshd logs on Stackdriver?

Question

On a GCP Compute Engine instance, OS is Ubuntu 18.04, Stackdriver logging agent is installed.

Any idea why Stackdriver doesn't ingest auth.log by default? What would be the best way to do it?

score 4 · Accepted Answer · answered Feb 21 '19 at 13:49

4

Ended up simply adding an additional entry in /etc/google-fluentd/config.d/syslog.conf

<source>
  @type tail

  # Parse the timestamp, but still collect the entire line as 'message'
  format /^(?<message>(?<time>[^ ]*\s*[^ ]* [^ ]*) .*)$/

  path /var/log/auth.log
  pos_file /var/lib/google-fluentd/pos/auth.log.pos
  read_from_head true
  tag auth
</source>

answered Feb 21 '19 at 13:49

Rhangaun

189
1
15

4

This answer is correct. Additionally, pay attention to the amount of data that the SSH server logs. Every hacker trying to log into your server via SSH will be logged. This can create a large amount of data written to Stackdriver. – John Hanley Oct 03 '19 at 19:31
@JohnHanley I'm not on 22 and I have fail2ban running ;) – Rhangaun Oct 04 '19 at 12:37
2

I am not correcting your answer; I am adding information to your answer for future readers. They may not realize how much traffic can be generated over port 22. – John Hanley Oct 04 '19 at 12:40

score 0 · Answer 2 · answered Feb 20 '19 at 22:02

0

The answer to your first question is that The VM images for Compute Engine don't include the Logging agent by default. To answer your second question, You need to install the Stackdriver Logging agent on your VM. Please follow the information and instructions here. I could reproduce that to ensure it works. After installing the agent, you will be able to see SSH connections in Stackdriver Logging, for example, their header looks like this: "..session opened for user USER". It also logs when the SSH session is closed; its header looks like this: "...session closed for user USER".

answered Feb 20 '19 at 22:02

mehdi sharifi

76
5

I have the agent installed. I'm seeing log entries from syslog, but not for auth. Did you change something in sshd_config ? – Rhangaun Feb 20 '19 at 22:21
@Rhangaun I’m not sure if this is by default. Though, I’m curious, would you share the OS info as to verify that? – Fady Feb 23 '19 at 04:44
OS is Ubuntu 18.04 – Rhangaun Feb 24 '19 at 23:16
@Rhangaun, I see you have submitted an answer which ended up the issue by adding an additional entry in /etc/google-fluentd/config.d/syslog.conf. If you still have issues, please post more details about your use case and the issue. – mehdi sharifi Feb 26 '19 at 14:27

Why no sshd logs on Stackdriver?

2 Answers2