The SSHD Can Use the UNIX Syslog Facilities for Logging

Troubleshooting

Problem

This document provides instructions for configuring and starting the syslog daemon on the operating system to log information about use of the OpenSSH sshd daeomon.

Resolving The Problem

The SSH daemon can use the UNIX syslog facilities for logging.

In this example, Qshell was used to start the syslog daemon. To verify that Qshell is installed on your system, run the DSPSFWRSC command. Qshell is Option 30 of the base operating system 5770SS1. The PASE terminal is also required, so confirm that Option 33 of the base operating system 5770SS1 is also installed. Finally, check that 5733SC1 is installed.

Do the following:

O	From the IBM i run: STRQSH We need to create both a syslog log file, and the syslog config file. In this example, we are going to create a log file called syslog.log in the `/var/log` directory. This file can be named whatever you like and be stored wherever you like, but whatever you choose, you need to reference it in the entry created in the syslog config file. You need to ensure that any directories in the path already exist. Substitute your choice wherever you see /var/log/syslog.log in these examples. 1) We need to create both a syslog log file, and the syslog config file: touch -C 819 /var/log/syslog.log (Creates the log file) You can choose the log file name and location. This log file will need to be referenced in the syslog configuration file during the next configuration steps. touch -C 819 /QOpenSys/etc/syslog.conf (Creates conf file in proper CCSID 819) echo "" >> /QOpenSys/etc/syslog.conf (This will set the LF stream file EOL option, rather than CRLF, which is not compatible, and would result in errno=2 when reading) Now exit out of QSH by using the Fn key or the exit command.
O	We now need to add the following line into the syslog.conf file. From IBM i run: EDTF '/QOpenSys/etc/syslog.conf' Add the following line to the file: daemon.debug /var/log/syslog.log (or substitute the directory path and file name of your choice from the previous step) Hit F3 2x to save the changes to syslog.conf and exit the file.
O	End the SSHD server by using command: *ENDTCPSVR SSHD Edit the sshd_config file to turn on logging: EDTF '/QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/sshd_config'** Under the section that starts with '# Logging', you should see the two directives below: `#SyslogFacility AUTH` `#LogLevel INFO` Remove the '#' symbol in front of SyslogFacility & LogLevel (which uncomments the line) and set their values to DAEMON & DEBUG respectively: `SyslogFacility DAEMON` `LogLevel DEBUG` Under the section that starts with '#override default of no subsystems', you should see the Subsystem directive below: Subsystem sftp /QOpenSys/QIBM/ProdData/SC1/OpenSSH/libexec/sftp-server Add the facility & log level flags below to the sftp-server command: Subsystem sftp /QOpenSys/QIBM/ProdData/SC1/OpenSSH/libexec/sftp-server -f DAEMON -l DEBUG Hit F3 2x to save the changes to sshd_config and exit the file. NOTE: If you are running OS/400 R710, the path for sshd_config is '/QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-4.7p1/etc/sshd_config'*
O	Start the syslog daemon: QSH CMD('/usr/sbin/syslogd') Note: The syslog daemon listens on UDP port 514. You can check it starts by running *NETSTAT CNN**
O	Start the ssh daemon: *STRTCPSVR SSHD**

The /var/log/syslog.log (or your equivalent) file will contain entries similar to the following:

Feb 18 17:02:10 RCH750B daemon:debug sshd[15721]: debug2: fd 4 setting O_NONBLOCK
Feb 18 17:02:10 RCH750B daemon:debug sshd[15721]: debug1: Bind to port 22 on 0.0.0.0.
Feb 18 17:02:10 RCH750B daemon:info sshd[15721]: Server listening on 0.0.0.0 port 22.
Feb 18 17:03:02 RCH750B daemon:debug sshd[15721]: debug3: fd 5 is not O_NONBLOCK
Feb 18 17:03:02 RCH750B daemon:debug sshd[15723]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Feb 18 17:03:02 RCH750B daemon:debug sshd[15721]: debug1: Forked child 15723.
Feb 18 17:03:02 RCH750B daemon:debug sshd[15721]: debug3: send_rexec_state: entering fd = 8 config len 4
Feb 18 17:03:02 RCH750B daemon:debug sshd[15721]: debug3: ssh_msg_send: type 0
Feb 18 17:03:02 RCH750B daemon:debug sshd[15721]: debug3: send_rexec_state: done
Feb 18 17:03:02 RCH750B daemon:debug sshd[15723]: debug1: inetd sockets after dupping: 4, 4
Feb 18 17:03:02 RCH750B daemon:debug sshd[15723]: debug3: process_channel_timeouts: setting 0 timeouts
Feb 18 17:03:02 RCH750B daemon:debug sshd[15723]: debug3: channel_clear_timeouts: clearing
Feb 18 17:03:02 RCH750B daemon:info sshd[15723]: Connection from X.X.X.X port 58475 on Y.Y.Y.Y port 22
Feb 18 17:03:02 RCH750B daemon:debug sshd[15723]: debug1: Local version string SSH-2.0-OpenSSH_9.6

Feb 18 17:03:02 RCH750B daemon:debug sshd[15723]: debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_9.5p2

If SYSLOGD is not configured and running, these syslog messages get redirected to the job log of the unique SSHD process that is forked off when a user tries to connect. Therefore, you would have to look through a bunch of job logs to get all of the logged messages. The SyslogFacility & LogLevel directives in the SSH daemon configuration file determines the verbosity level that is used when logging messages from SSHD. The log facility flag (-f) & log level flag (-l) for the sftp-server command provide additional logging capabilities for SFTP file transfers.

Related Information

Syslog / Syslogd in PASE for IBM i

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CKoAAM","label":"Communications-\u003ESFTP and SSH or Secure Shell"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]

Historical Number

454064141

Was this topic helpful?

Document Information

Modified date:
18 February 2026

UID

nas8N1014301

Tips