SSH

Collecting and Viewing Tectia Server Logs

This section describes collecting and viewing of logs generated about the operations of Tectia Server.

[Note]Note

By default, the Management Agent does not collect logs from SSH servers. For instructions on enabling log collection, see Enabling Log Collection in Management Agent Configuration.

See also Management Server Log Collection Process for a technical description of the log collection process.

When logging is enabled in the Management Agent configuration, the Management Agent collects the logs from the managed Tectia Server hosts as follows:

Disabling Log Collection Manually on a Managed Host

If necessary, you can disable log collection on some managed hosts by editing the configuration file on the host:

  1. Edit the line for the SecshMonitorLogPollInterval configuration option in the /etc/opt/ssh-mgmt/agent/agent-secsh.dat file and set its value to 0. This will prevent the sysmonitor from sending log events to the Management Server.

    SecshMonitorLogPollInterval=0
  2. After modifying the /etc/opt/ssh-mgmt/agent/agent-secsh.dat file, restart the Management Agent.

    See Installing Manually on Linux, Installing Manually on Solaris, and Installer Details for the operating-system-specific mechanisms for the restarting command.

  3. Edit the /etc/syslog.conf file and remove the following lines:

    # Tectia Manager (ssh-mgmt-agent) automatic syslog.conf entry \ 
    (DO NOT EDIT!) *.debug/var/run/ssh-mgmt-temp-log
  4. Restart syslog. See the manual page for syslogd for instructions on how to do this. Typically this is done by sending the HUP signal to the syslogd process:

    kill -HUP <pid>
  5. Remove the /var/run/ssh-mgmt-temp-log file.

Disabling the Copying of Log Messages to the Server's System Log

Copying the log messages that Management Agents send to the Management Server can be disabled in the administration interface.

To disable the copying of log messages:

  1. Click Settings → System settings on the menu.

  2. On System settings, click the Edit button.

  3. Clear the Enable copying sshd log messages from managed hosts to Management Server syslog check box, and click the Save button.

Viewing Tectia Server Logs in the Management Server

If logs are enabled, the Management Agent collects all Secure-Shell-related log data from the syslog files of the managed hosts and copies it to the Management Server. The Management Server stores this information into its database.

This collected log data can be viewed by administrators. The information includes:

  • Event time: This is the time when the log event actually took place on the host. This time is the local time of the host, not the time of the Management Server (GMT).

  • Host: The hostname

  • PID: The ID of the process that entered the log event into the syslog.

  • Process: A string describing the name of the process that entered the log event into the syslog. In this release this is sshd, sftpd, or sshd2 (for 4.x), or ssh-broker-g3, ssh-server-g3, or sft-server-g3 (for 5.x and 6.x).

  • Message: The free text part of the system log entry, contains a description of the event.

These log entries can be filtered by hostname, event time, and message content.

To view the Tectia Server logs, click Logging → Tectia Server logs on the menu. Enter the appropriate search criteria and change the time period if necessary. Click the Search button to start the search.

Logs of the matching hosts are displayed. See an example in the figure below.

Viewing Tectia logs

Figure 8.15. Viewing Tectia logs

Click Close to return to the log search page.

Viewing the Log Data for a Host

To view logs sent from a managed Tectia Server host:

  1. Click Hosts → View hosts on the menu.

  2. Select a Tectia Server host that is sending the logs (through View hosts or Search hosts).

  3. Click the Secure Shell software tab, and click the Log data tab. The collected log is shown.

Log data

Figure 8.16. Log data

Click Close to return to the View hosts page, or click another tab to continue.