Collecting and Viewing SSH Tectia Server Logs

This section describes collecting and viewing of logs generated about the operations of SSH Tectia Server.

Log Collection on a Managed SSH Tectia Server (Unix)

The Management Agent sysmonitor process collects system log events generated by an SSH Tectia Server and forwards them to the Management Server. The syslog facility used by SSH Tectia Server is defined in the server configuration. Log gathering is disabled by default.

The Management Server forwards all collected log information to the Management Server machine's system log.

Using these two capabilities, it is possible to route all system log entries related to an SSH Tectia Server to the Management Server, which in turn can then provide them to third-party applications through the Management Server machine's system log.

Log Collection on a Managed SSH Tectia Server (Windows)

If SSH Tectia Server is installed on a host which is running Management Agent, log messages generated by SSH Tectia Server (in the Windows Event Log) are sent to the Management Server. The event log filter for SSH Tectia Server and SFTP server is defined in the SSH Tectia Server configuration. Log gathering is disabled by default.

See also Management Server Log Collection Process for a technical description of the log collection process.

Configuring Log Collection

Log collection is defined in the Management Agent configuration in Configurations → Edit Configurations → Management Agent.

To enable log collection, define a suitable polling intervals for the log messages with setting SecshMonitorLogPollInterval. The value range is 30-3600 seconds.

To disable log collection, set the value for SecshMonitorLogPollInterval to 0.

Deploy the configuration in Configurations → Deploy configurations.

Figure 6.7. Example of disabling log collection

Disabling Log Collection Manually on a Managed Host

To disable log collection on a managed host:

Edit the line for the SecshMonitorLogPollInterval configuration option in the /etc/opt/ssh-mgmt/agent/agent-secsh.dat file and set its value to 0. This will prevent the sysmonitor from sending log events to the Management Server.
```
SecshMonitorLogPollInterval=0
```
After modifying the /etc/opt/ssh-mgmt/agent/agent-secsh.dat file, restart the Management Agent.
See Installing Manually on Linux, Installing Manually on Solaris, and Installer Details for the operating-system-specific mechanisms for the restarting command.

Edit the /etc/syslog.conf file and remove the following lines:

# SSH Tectia Manager (ssh-mgmt-agent) automatic syslog.conf entry \ 
(DO NOT EDIT!) *.debug/var/run/ssh-mgmt-temp-log

Restart syslog. See the manual page for syslogd for instructions on how to do this. Typically this is done by sending the HUP signal to the syslogd process:
```
kill -HUP <pid>
```
Remove the /var/run/ssh-mgmt-temp-log file.

Disabling the Copying of Log Messages to the Server's System Log

Copying the log messages that Management Agents send to the Management Server can be disabled in the administration interface.

To disable the copying of log messages:

Click Settings → System settings on the menu.
On System settings, click the Edit button.
Clear the Enable copying sshd log messages from managed hosts to Management Server syslog check box, and click the Save button.

Viewing SSH Tectia Server Logs in the Management Server

If logs are enabled, the Management Agent collects all Secure-Shell-related log data from the syslog files of the managed hosts and copies it to the Management Server. The Management Server stores this information into its database.

This collected log data can be viewed by administrators. The information includes:

Event time: This is the time when the log event actually took place on the host. This time is the local time of the host, not the time of the Management Server (GMT).
Receive time: This is the time when the Management Server received the log entry from the host. This time is the Management Server's time (GMT).
Host: The hostname
PID: The ID of the process that entered the log event into the syslog.
Process: A string describing the name of the process that entered the log event into the syslog. In this release this is sshd, sftpd, or sshd2 (for 4.x), or ssh-broker-g3, ssh-server-g3, or sft-server-g3 (for 6.x).
Message: The free text part of the system log entry, contains a description of the event.

These log entries can be filtered by hostname, event time, and message content.

To view the SSH Tectia Server logs, click Logging → SSH Tectia Server logs on the menu. Enter the appropriate search criteria and change the time period if necessary. Click the Search button to start the search.

Logs of the matching hosts are displayed. See Figure 6.8 for an example.

Figure 6.8. Viewing SSH Tectia logs

Click Close to return to the log search page.

Viewing the Log Data for a Host

To view logs sent from a managed SSH Tectia Server host:

Click Hosts → View hosts on the menu.
Select an SSH Tectia Server host that is sending the logs (through View hosts or Search hosts).
Click the Secure Shell software tab, and click the Log data tab. The collected log is shown.

Figure 6.9. Log data

Click Close to return to the View hosts page, or click another tab to continue.