I think this may help getting the messages to another server:
I cannot test without brushing up on my linux (lack of) skills


seems like a pretty standard way to get messages to another server


DrFranken wrote on 8/19/2015 12:57 PM:
The only thing I find is a Syslog server config for IBM i. Thing is
there doesn't appear to be any way to get SSHD to log to anything but a
local syslog so it's probably using localhost. Even looking at the
generic config for openssh on linux etc there is no option to log
anywhere else.

I am suspicious that SSHD doesn't do ANYTHING with the audit journal and
the only reason anything shows up there is that they call some API to
validate UID and PWD and when that fails the entries are generated.
Thing is if that's the case you'd also expect it to log the entries when
the UID is invalid because actual code in the Journal is UID *OR* PWD
not valid.

- Larry "DrFranken" Bolhuis

www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.

On 8/18/2015 3:52 PM, Bryan Dietz wrote:

this has come up before try searching the archives for "syslog"
I found some sample code.


DrFranken wrote on 8/18/2015 3:39 PM:
Yep saw that. It raises two questions though. 1) Can I redirect that
syslog output to another system, that is have all my partitions syslog
to ONE partition?

If so, How?

The sshd_config file seems only to allow a few tweaks but no
configuration of where to send the syslog messages.

- Larry "DrFranken" Bolhuis

www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.

On 8/18/2015 3:12 PM, Steinmetz, Paul wrote:


Check if you have SSHD setup for logging.



-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Vernon Hamberg
Sent: Tuesday, August 18, 2015 2:59 PM
To: Midrange Systems Technical Discussion
Subject: Re: QAUDJRN entry for failed password attempts with SSH

Larry - is SSH running in PASE? If so, I would not expect much in the
audit journal, as PASE knows nothing about that. It's like those who
want exit points for sftp and all.

But PASE (AIX) might have some logging of this kind of thing - that a
WAG for sure on my part.


On 8/18/2015 1:39 PM, DrFranken wrote:
I get these for TELNET (Code T Type PW) I get these for FTP I get
these for the http: *ADMIN server I get them with System i Navigator

I get them with SSH *IF* they are attempting a VALID user profile.

I get NOTHING with SSH if they try root or admin etc. Anyone know
where I can turn that on or where to look for this type of failed
attempt to authenticate with SSH on i?

In this case I'm testing on i 7.1

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].