SSH Professional
      Back to home
      1. Smallstep Knowledge Base
      2. Troubleshooting
      3. SSH Professional

      step-ssh-metadata service logging level

      Active registered hosts periodically sync with Smallstep to get up-to-date client access control. The logging level can be adjusted by editing/overriding the step-ssh-metadata service settings.

      You may notice the following types of service messages in your SSH host's logs from the `step-ssh-metadata` service. The synchronization ensures that client access control is current, in the event that a host's access has been updated by Smallstep Administrators.

      Example step-ssh-metadata logging from journalctl output

      journalctl | grep step-ssh

      Jun 02 00:17:41 centos-7-1 step-ssh-metadata[3593]: 2023/06/02 00:17:41 access data updated
      Jun 02 00:17:53 centos-7-1 step-ssh-metadata[3593]: 2023/06/02 00:17:53 access data updated
      Jun 02 00:18:05 centos-7-1 step-ssh-metadata[3593]: 2023/06/02 00:18:05 access data updated
      Jun 02 00:18:17 centos-7-1 step-ssh-metadata[3593]: 2023/06/02 00:18:17 access data updated
      Jun 02 00:18:29 centos-7-1 step-ssh-metadata[3593]: 2023/06/02 00:18:29 access data updated

      Since the default log interval is approximately every 12 seconds, you may consider reducing the logging of this service to something less chatty.

      The following example changes the default logging for the "step-ssh-metadata.service" to ERROR (3) on Debian V11 Bullseye running systemd version 247.3-7+deb11u1.

      Depending on the hosts' distribution and version of systemd, the steps for updating a service's logging level may vary.

      ℹ️ Changing the step-ssh-metadata.service logging level doesn't affect the frequency of access control syncs with Smallstep.

      Overriding the Logging Level for step-ssh-metadata.service

      Edit the step-ssh-metadata service
      sudo systemctl edit step-ssh-metadata.service
      Add LogLevelMax=3 (error) and (optionally) StandardOutput=null to the step-ssh-metadata.service as follows
      ### Editing /etc/systemd/system/step-ssh-metadata.service.d/override.conf
      ### Anything between here and the comment below will become the new content of>
      [Service]
      LogLevelMax=3
      StandardOutput=null    
      ### Lines below this comment will be discarded


      Reload and restart the step-ssh-metadata service
      # Check for changes and reload
      sudo systemctl daemon-reload

      # Restart step-ssh-metadata service
      sudo systemctl restart step-ssh-metadata.service

      ⚠️ There's a flag in the step-ssh-metadata.service configuration called "sync-period". Smallstep does not recommend that this interval be changed. If you have questions about the interval, contact support.

      Learn more about SSH Host and the step-ssh-metadata service.