Cygwin - Logging

Written: 08/15/12

Last Updated: 06/15/13

This guide is the seventh part of my Cygwin SSH server series and assumes that the first six guides have already been completed. If you have not yet completed those article, click here to go to the first article. This article is broken up into two sections – Logging with Syslog-ng and Logging with Syslogd. The first part will cover how to enable server logging through the use of Syslog-ng and the second part will cover how to enable logging through the use of Syslogd. I have personally had better success with using Syslogd and therefore prefer to use it over the newer Syslog-ng. Feel free to judge for yourself.

If you wish to skip the Syslog-ng logging tutorial and go directly to the Syslogd tutorial, click here; otherwise, keep reading below.

Logging with Syslog-ng

Open a Cygwin terminal. In the terminal type “/bin/syslog-ng-config” to start the configuration script. Then follow the commands below to create and start the service. See the picture below for more details.

/bin/syslog-ng-config
yes
net start syslog-ng

cygwin-logging-1

To make sure that the logging will log as desired, the sshd_config file must be edited again. Type the below command to open the config file in nano.

nano /etc/sshd_config

cygwin-logging-2

The first thing to change is the logging facility. The facility is used to specify the subsystem that produces the messages. The default is “AUTH” which has Windows handle the logging with its internal event system. To change it such that the events will be logged locally, i.e. in /var/log/messages, the value should be changed to one of the local systems. The second thing to do is to uncomment the log level. Leave the default value or change it to log less often, as your needs require. To make these changes, edit the lines shown in the below images.

before:

cygwin-logging-3
after:
cygwin-logging-4

To exit nano and save your changes press CTRL+X, then Y, and then Enter.

cygwin-logging-5cygwin-logging-6

To finish things up, the service must be started. Start the service by executing the command shown below.

cygrunsrv -S syslog-ng

cygwin-logging-7

You have now successfully enabled logging. To see the events, view the file found in /var/log/messages. This completes the Syslog-ng logging section. If you wish to see how logging is performed through Syslog, proceed to the next section; otherwise, click here to skip it.

Logging with Syslogd

Setting up Syslogd is extremely easy. Simply execute the first line shown below in a Cygwin terminal to run the script and then type “yes” when it asks you if you want to install it as a service. If you have already installed Syslog-ng, (following the first section of this tutorial) then you’ll need to uninstall it first, by simply typing “yes” at that prompt, as shown below. If you came here directly, then the highlighted portion in the image will not be visible.

At this point, you will need to edit the sshd configuration file, exactly as shown here. Once you’ve finished that, you can start the Syslogd service by executing the second command shown below.

/bin/syslogd-config
net start syslogd

cygwin-logging-8

This concludes the seventh part of my Cygwin SSH server series. The next part, once completed, will cover how to jail users.

Discussion (13)

There are 13 responses to “Cygwin – Logging”.

  1. Nishant Kango responded:

    · Reply

    When is the next part coming? and how to enable public key authentication for users?

    • I wasn’t planning on a new Cygwin article for a while. I still need to finish up my Gentoo series. I do have some Cygwin topics in the back of my head (jailing users, automatic user creation and deletion, X11 related topics, etc…). Is there a particular topic that you are interested in?

      Public key authentication should be enabled by default. It’s defined in /etc/sshd_config. If you look at my security article at this image you can see that the default is “#PubKeyAuthentication yes”. You can uncomment that line as a sanity check. The process for using the authentication should be the same as any *NIX system, i.e. 1) ssh into the server 2) create the cryptographic key 3) install the key.

      I’ve had some users of my system inform me that they were able to use it successfully. They were on *NIX boxes, but the process should work with Windows clients, as well.

      • Nishant Kango responded:

        · Reply

        I am new to ssh and need to know how to make public key authentication working. I am setting the ssh server to work with GIT. Also can i setup my repo directory as default home directory? If yes, then where to store the authorized keys on server. Please help !!!

        • Your home directory is defined in “/etc/passwd”. To update that, you should use “mkpasswd”. You have a couple of options. You may define the same root location for all accounts or for one individual account. It sounds like you want all of the users’ home directories in a different root location. To do that, execute the following command ‘mkpasswd -l -p “/path/to/repo/directory” > /etc/passwd’. This will make every single users’ directory become “/path/to/repo/directory/“, where “” is the user’s name.

          To use public key authentication:
          1) If you do not already have a “~/.ssh” folder and the files “id_rsa” and “id_rsa.pub” in your home directory on your local machine, execute “ssh-keygen -t rsa”. To avoid having to use a password, leave it blank both times you are prompted for one.
          2) Change the permissions:
          a) chmod 700 ~/.ssh
          b) chmod 600 ~/.ssh/id_rsa
          c) chmod 644 ~/.ssh/id_rsa.pub
          3) Copy the “id_rsa.pub” file from your local machine to the server: “scp :.ssh/id_rsa.pub ~/”
          4) SSH to the server
          5) If you don’t have a “.ssh” folder on the server in your home directory (whatever that may be), do the following:
          a) mkdir ~/.ssh
          b) chmod 700 ~/.ssh
          c) mv ~/id_rsa.pub ~/.ssh/authorized_keys
          d) chmod 600 ~/.ssh/authorized_keys
          6) If you do have a “.ssh” folder, then do the following:
          a) cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
          b) chmod 600 ~/.ssh/authorized_keys
          7) (optional) remove the original copied file “rm ~/id_rsa.pub”

  2. Lucas Pick responded:

    · Reply

    Where do you cover Jailing users after this openssh tutorial?

    • I don’t have a tutorial on it, yet. It’s one that I have been considering writing in the future. I noticed that it’s one of the most searched for items on this site. Depending on how tight of a jail is desired, the topic becomes quite involved.

      • Zack responded:

        · Reply

        Would really like to see the jailing process as well.

  3. Peter responded:

    · Reply

    Hi James,

    I’m trying to scp a file from UNIX to a Windows machine. I have a private/public key pair that i created in the unix machine . I’ve tried adding the public key to the windows machine (cygwin) $home/account_user/.ssh/ directory and added the key to the authorized_keys ($home/account_user/.ssh/authorized_keys) file, but when i try to scp a file from unix to windows i still get prompted for the account_user password. Any suggestions would be greatly appreciated.
    Thank you

    • Hi Peter,

      Sorry for the delay! At a high-level, the steps sound correct. I assume you took a look at my above comment to Nishant? Here are some common things to check:

      1) When you run “ssh-keygen” make sure that you do not enter in a password. If you do, then you’ll still be prompted for one.
      2) After adding the public key to the authorized_keys file, make sure that you have changed its permission.
      3) Double check /etc/sshd_config to make sure that PubKeyAuthentication is enabled.

      If this doesn’t work, you can also try using DSA, instead of RSA. To do that, generate the keys with “ssh-keygen -t dsa”.

      Sometimes, when it’s configured incorrectly you will get some notifications when you SSH into your server. If you are getting any of those, please post those here.

  4. Zestos Iremia responded:

    · Reply

    Hi James,

    I’ve read through all seven articles about Cygwin and I must say it’s really comprehensive. Thanks for all the hard work.

    I’m new to logging and all so I have some questions regarding this logging process. If we use Cygwin and Syslog-ng (open source edition), will it be possible for Syslog-ng to process and print out the log file with the logging contents from Windows Event logs?

    Another question is that will we be able to use the features such as secure logging TLS in syslog-ng to encrypt all log files coming from clients?

    Appreciate your answer really much as I’m setting up a logging server in my workplace and we really need to use this.

    Thank you very much once again.

    • Syslog-ng was specifically designed for UNIX-like systems. We are able to use it inside of Windows due to the environment that Cygwin creates; however, it does not have the capability to capture the event logs. You could write a Python script (or similar language) to parse the logs created by Syslog-ng and then extract the desired events (based off the timestamp in your log) and create a new file in your desired format. If you wanted this to happen automatically you create a simple service or even a scheduled task to automatically perform the parsing after a set time interval has passed.

      I haven’t personally used this feature; however, the developer’s of Syslog-ng have this documentation explaining how to use TLS. That documentation should get you going. There might be some differences due to Cygwin vs. a true UNIX environment, so keep that in mind. Hopefully you can get it to work; as I said, I haven’t yet experimented with this. If you do try this, I would be interested in knowing if you were able to get it to work.

  5. This helped me after I made the mistake of installing OpenSSH in windows 10, which overwrote my sshd settings. Thanks again, I’m back in business and reviewing log entries.

  6. Hi ,

    Daily or Weekly basis is there any way to create the log “messages” in separate file in path \var\log\.

Leave a Reply