Show Contents / Index / Search

Auditing (Message Logging)

The Reflection for Secure IT server provides the following auditing services, which are always enabled.

  • Login history
  • Currently logged in users
  • Failed logins

Output locations are platform-dependent. For details refer to the following table.


Login history

Current login

Failed login

HPUX (11.11, 11.23) PARISC




HPUX (11.23, 11.31) Itanium




AIX 5.2, 5.3, 6.1





Solaris 8, 9, 10




RHEL 3, 4, 5





SLES 9, 10





  • Some platforms write to more than one file.
  • On some Linux systems, btmp is not present. The server writes to this database if it is present.

Keywords for Configuring Auditing

The output for sshd and sftp-server messages is affected by both Reflection for Secure IT configuration and syslogd configuration. For example, the following entry in /etc/syslog.conf configures a facility called local6 and sends output from that facility to /var/adm/rsit_log. /var/adm/rsit_log

Note: The syntax shown above requires a tab between the two entries.

To configure Reflection for Secure IT to send sshd messages to the local6 facility, include the following line in the server configuration file (/etc/ssh2/sshd2_config).

SysLogFacility local6

The table below summarizes keywords used for configuring auditing.




Specify a facility code for sshd messages


The default is `AUTH'.

The value of SyslogFacility must correspond to a facility specified in syslog.conf.

Specify a facility code for sftp-server messages


When no value is configured (the default) sftp-server uses the current facility configured for sshd.

Use SftpSysLogFacility to specify an alternate facility for sftp server logging. Sending sftp messages to a different facility is often useful for auditing.

The value of SftpSysLogFacility must correspond to a facility specified in syslog.conf.

Specify which categories of sftp server messages are sent to the facility specified by SftpSysLogFacility.


The default is `loginlogout,directorylistings,downloads,modifications,uploads', which configures logging of all categories. You can specify any of those options, plus `all', or `none'.

Specify the level of logging to SysLogFacility and SftpSysLogFacility.


After the configuration file is read, messages are processed according to rules defined in syslog.conf.

This level applies to both sshd and sftp logging.