Thursday, January 17, 2008

SSH error messages - chan_read_failed

Are you tired of getting ssh error messages on system console and /var/adm/messages file? If yes, here is how you can separate those messages from /var/adm/messages file and redirect it to some place which can be dedicated only for such messages and doesn;t normally need to be reviewed.

For redirecting ssh bug messages, I changed the location of logs as follows:


# cat /etc/syslog.conf
#ident "@(#)syslog.conf 1.5 98/12/14 SMI" /* SunOS 5.0 */
#
# Copyright (c) 1991-1998 by Sun Microsystems, Inc.
# All rights reserved.
#
# syslog configuration file.
#
# This file is processed by m4 so be careful to quote (`') names
# that match m4 reserved words. Also, within ifdef's, arguments
# containing commas must be quoted.
#
*.err;kern.notice;auth.none /dev/sysmsg
*.err;auth.none;kern.debug;daemon.notice;mail.crit /var/adm/messages
auth.info /var/log/authlog

*.alert;kern.err;daemon.err operator
*.alert root
*.emerg *

local3.debug @syslog-server
local2.debug @syslog-server

# if a non-loghost machine chooses to have authentication messages
# sent to the loghost machine, un-comment out the following line:
#auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost)

mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost)

#
# non-loghost machines will use the following lines to cause "user"
# log messages to be logged locally.
#
ifdef(`LOGHOST', ,
user.err /dev/sysmsg
user.err /var/adm/messages
user.alert `root, operator'
user.emerg *
)
local7.debug /var/adm/sam-log


Please note that in syslog.conf file, it is a must to keep fields TAB separated, else it will not work.

# touch /var/log/authlog

In Solaris 10, the syslog.conf can be re-read by following steps:

# svcs -a grep system-log
online Jan_13 svc:/system/system-log:default

# svcadm refresh /system/system-log

# svcs /system/system-log
STATE STIME FMRI
online 9:34:06 svc:/system/system-log:default


Prior to Solaris 10, the syslog.conf can be re-read by following steps:

# ps -eaf grep syslog
root 441 1 0 Jan 13 ? 0:12 /usr/sbin/syslogd

# kill -HUP 441

Once syslog.conf file is changes and re-read by syslogd daemon, the /var/log/authlog will start getting those bugging messages from ssh.

# tail -100 /var/log/authlog
Jan 17 09:06:48 someserver sshd[11543]: [ID 800047 auth.error] error: channel 0: chan_read_failed for istate 3
Jan 17 09:06:48 someserver last message repeated 2 times
Jan 17 09:11:40 someserver sshd[19750]: [ID 800047 auth.info] Accepted publickey for oracle from 10.60.70.68 port 37317 ssh2
Jan 17 09:11:40 someserver sshd[19750]: [ID 800047 auth.error] error: channel 0: chan_read_failed for istate 3
Jan 17 09:11:40 someserver last message repeated 2 times
Jan 17 09:11:40 someserver sshd[19772]: [ID 800047 auth.info] Accepted publickey for oracle from 10.60.70.68 port 37322 ssh2
Jan 17 09:11:40 someserver sshd[19772]: [ID 800047 auth.error] error: channel 0: chan_read_failed for istate 3
Jan 17 09:11:40 someserver last message repeated 2 times
Jan 17 09:11:41 someserver sshd[19795]: [ID 800047 auth.info] Accepted publickey for oracle from 10.60.70.68 port 37325 ssh2
Jan 17 09:11:41 someserver sshd[19795]: [ID 800047 auth.error] error: channel 0: chan_read_failed for istate 3

No comments: