[SOLVED][hobbit] sshd notification in syslog

thomas.seglard.enata at cnp.fr thomas.seglard.enata at cnp.fr
Thu Mar 2 18:21:17 CET 2006


Thank you !

the second option (the one you preferred) was a good bet ! 
I added the lines as you indicate and that's solved my problem.

Best regards,

Thomas Seglard

"Schwimmer, Eric E *HS" <EES2Y at hscmail.mcc.virginia.edu> a écrit sur 
02/03/2006 17:31:10 :

> 
> Three posibilities, off the top of my head:
> 
> On the client side:
> 1. Install syslog-ng instead of ksyslogd, and
>    filter on the ip address of your hobbit server.
> 2. Call your logrotate script (assuming you use one)
>    more often, and/or make it compress your old syslog
>    messages.
> 
> On the hobbit server side:
> (this is my preferred option)
> 1. change your bb-services file ($HOBBIT/server/etc/bb-services)
>    so that ssh test sends the version string.  I think that will
>    stop your sshd from complaining.
> 
> ie.:
> 
> [ssh|ssh1|ssh2]
>    send "SSH-2.0-OpenSSH_4.1\r\n"
>    expect "SSH"
>    options banner
>    port 22
> 
> I think if you disconnect after the version exchange, but
> before the diffie-helman key exchance, sshd wont log anything.
> 
> Now, if you arent accepting v2 connections on your clients,
> you'll have to set up a separate [ssh1] stanza that supplies
> an ssh v1 string (SSH-1.5-OpenSSH_4.2) and change your ssh 
> statement in your bb-hosts to ssh1 for those machines. 
> Otherwise your logs are just going to be filled with
> protocol mismatch messages instead.
> 
> HTH,
> 
> -Eric Schwimmer
> Network Engineer
> UVA HSCS Network Engineering 
> 
> > -----Original Message-----
> > From: thomas.seglard.enata at cnp.fr 
> > [mailto:thomas.seglard.enata at cnp.fr] 
> > Sent: Thursday, March 02, 2006 6:09 AM
> > To: hobbit at hswn.dk
> > Subject: [hobbit] sshd notification in syslog
> > 
> > 
> > Hello, 
> > 
> > since deployment of hobbit's client on 200 servers (hpux, 
> > aix, sun, linux), I got this message in syslog : 
> > 
> > Feb 13 12:05:44 psa089 sshd[9813]: Did not receive 
> > identification string from 158.157.156.91 
> > Feb 13 12:06:47 psa089 sshd[9980]: Did not receive 
> > identification string from 158.157.156.91 
> > Feb 13 12:07:49 psa089 sshd[10006]: Did not receive 
> > identification string from 158.157.156.91 
> > Feb 13 12:08:17 psa089 sshd[10012]: Did not receive 
> > identification string from 158.157.156.91 
> > Feb 13 12:08:48 psa089 sshd[10078]: Did not receive 
> > identification string from 158.157.156.91 
> > Feb 13 12:09:52 psa089 sshd[10564]: Did not receive 
> > identification string from 158.157.156.91 
> > Feb 13 12:10:55 psa089 sshd[10871]: Did not receive 
> > identification string from 158.157.156.91 
> > Feb 13 12:11:57 psa089 sshd[10987]: Did not receive 
> > identification string from 158.157.156.91 
> > Feb 13 12:13:00 psa089 sshd[11060]: Did not receive 
> > identification string from 158.157.156.91 
> > Feb 13 12:13:20 psa089 sshd[11065]: Did not receive 
> > identification string from 158.157.156.91 
> > Feb 13 12:14:02 psa089 sshd[11166]: Did not receive 
> > identification string from 158.157.156.91 
> > Feb 13 12:15:06 psa089 sshd[11297]: Did not receive 
> > identification string from 158.157.156.91 
> > 
> > Ip address is the one from my hobbit's server 
> > (158.157.156.91). This message do not specify that the ssh 
> > test failed, so I'm not worried about this. The main problem 
> > is the size of syslog and /var is growing rapidly ! Anyone 
> > knows how to prevent this message to be display in syslog ? 
> > Thank you ! 
> > 
> > Thomas Seglard 
> > (I'm using Lotus Notes, what a challenge...)
> > 
> > Ce message (et toutes ses pieces jointes eventuelles) est 
> > confidentiel et etabli a l'intention exclusive de ses destinataires.
> > Toute utilisation de ce message non conforme a sa 
> > destination, toute diffusion ou toute publication, totale ou 
> > partielle, est
> > interdite, sauf autorisation expresse.
> > L'internet ne permettant pas d'assurer l'integrite de ce 
> > message, CNP Assurances et ses filiales declinent toute responsabilite
> > au titre de ce message, s'il a ete altere, deforme ou falsifie.
> > 
> > *****
> > 
> > This message and any attachments (the "message") are 
> > confidential and intended solely for the addressees.
> > Any unauthorised use or dissemination is prohibited.
> > E-mails are susceptible to alteration.
> > Neither CNP Assurances nor any of its subsidiaries or 
> > affiliates shall be liable for the message if altered, 
> > changed or falsified.
> > 
> > 
> 
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
> 
> 


Ce message (et toutes ses pieces jointes eventuelles) est confidentiel et etabli a l'intention exclusive de ses destinataires.
Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est
interdite, sauf autorisation expresse.
L'internet ne permettant pas d'assurer l'integrite de ce message, CNP Assurances et ses filiales declinent toute responsabilite
au titre de ce message, s'il a ete altere, deforme ou falsifie.

*****

This message and any attachments (the "message") are confidential and intended solely for the addressees.
Any unauthorised use or dissemination is prohibited.
E-mails are susceptible to alteration.
Neither CNP Assurances nor any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20060302/2a6293e5/attachment.html>


More information about the Xymon mailing list