SSH Debug Log Levels and Limits

Summary

Tenable products have long been able to log the details (minus credentials) of SSH connections. Plugin debugging has been an optional setting for scans and scan policies allowing debugging logs to exist to help determine what causes issues. Since the adoption of our revised ssh library in the late 2010s, we have been logging a thorough and accurate amount of details. As more and more plugins leveraged SSH connectivity our logging has put a strain on scanner and scan target resources in some customer environments.

In response to these issues, we have revised the logging on our sshlib, with new logging functions in debug.inc, new debug levels specified in the GUI, and have migrated both new and old ssh libraries to use the new logging setup.

What does this mean to our customers? Any customer using plugin debugging will be able to select from debugging levels 1 through 4 in their scan configurations. By default, all policies where this value is not intentionally set higher will be set to 1, the lowest amount of detail. Customers can fine tune this setting themselves.

Debugging level 1 represents the lowest amount of details, mostly for connections, commands and results, and automatically trims log messages greater than 500 bytes.

Debugging level 2 represents a medium amount of details, including all debug messages from level 1, but also including more details on protocols being used, packet types, and slightly more esoteric logging information. It automatically trims log messages greater than 1000 bytes.

Debugging level 3 represents a high amount of details, including all debug messages from levels 1 and 2, and including details on shell handlers, actual deep dives into packets received and sent, the works. It automatically trims log messages greater than 1500 bytes.

Debugging level 4 represents a complete and unrestricted amount of details, including all debug messages from levels 1, 2, and 3, but with absolutely no log truncation. Our current logging setup effectively runs on level 4, and that's why we will occasionally see very large log files. Scanners configured to use debugging level 4 should be resourced to handle potentially large amounts of logging data.

Any customer scans that do not have plugin debugging enabled will see no change in their scan output or performance.

Change

Tenable products will soon have the ability to specify debugging level when plugin debugging is enabled. By default, these will be set to 1, indicating a minimal amount of logging. Customers may choose to raise this level if they want to see some more or a lot more details in their plugin debugging logs.

Customers who have been experiencing issues with the Debugging Log Report plugin not functioning correctly because of too much data will be well served by either leaving the plugin debugging level at 1 or 2. Additional detail can be gathered using level 3. Customers with these issues should avoid debugging level 4.

Plugins:

"Authenticated Check : OS Name and Installed Package Enumeration" (Plugin ID: 12634)

"OS Identification and Installed Software Enumeration over SSH v2 (Using New SSH Library)" (Plugin ID: 97993)

All plugins that leverage ssh connections (too many to list)

Target Release Date

31 MAY 2022