William Shallum

SSLH: configuring logging, logrotate, and Logwatch

Posted Aug 29 2010, 04:37 by William Shallum [updated Sep 2 2010, 07:25]

SSLH is a SSL/SSH multiplexer. If you want to run SSH on port 443 (to bypass restrictions?) and run an HTTPS server there as well, this is the program for you. Unfortunately, this will make the connections appear to come from 127.0.0.1. I don’t run a serious HTTPS server so no problem about that, but I would like to know where the SSH connections are coming from.

In this post I will detail how I configured the logging on a Debian Lenny system using rsyslog, logrotate and Logwatch. SSLH logs to syslog, it will be filtered using rsyslog configuration to its own separate log (so it doesn’t get lost in the noise in auth.log). The new SSLH log file also needs to be rotated so it doesn’t grow too large. Logwatch will then be configured to read the SSLH log file for SSH connections.

rsyslog configuration /etc/rsyslog.d/sslh.conf:

Just filters based on program name and disables further logging so it doesn’t go to the default (auth.log)

if $programname == 'sslh' then /var/log/sslh.log
if $programname == 'sslh' then ~

logrotate configuration /etc/logrotate.d/sslh (based on the syslog configuration):

4 files to keep, one file per week. No error if no file, don’t rotate if empty. Compress files with gzip but delay compression of the first one (log.0).

/var/log/sslh.log
{
        rotate 4
        weekly
        missingok
        notifempty
        compress
        delaycompress
        postrotate
                invoke-rc.d rsyslog reload > /dev/null
        endscript
}

Logwatch log files definition /etc/logwatch/conf/logfiles/sslh.conf:

This file specifies a set of log files for sslh. This is separate from the service definition. The date format is the standard syslog date format. Logwatch already comes with a date range filter for this format.

LogFile = sslh.log
LogFile = sslh.log.0
Archive = sslh.log.*.gz

*ApplyStdDate = 

Logwatch service definition /etc/logwatch/conf/services/sslh-ssh.conf:

Not much config here, just the title and the name of the log file set.

Title = "SSLH connections forwarded to SSH"
LogFile = sslh

Logwatch service script /etc/logwatch/scripts/services/sslh-ssh:

This filters the log file. The log file has already been filtered through ApplyStdDate so all this script needs to do is filter out the connections which were forwarded to SSL.

#!/bin/sh

echo "Date Range: $LOGWATCH_DATE_RANGE"
echo "Detail Level: $LOGWATCH_DETAIL_LEVEL"
echo "Temp Dir: $LOGWATCH_TEMP_DIR"
echo "Debug Level: $LOGWATCH_DEBUG"

grep -v 'forwarded to SSL$'

Summarization and separate detail levels in the service script is left as an exercise to the reader :)