SSH log file — making one, new location

Posted: 2010/06/24 in Linux

Problem: I’d like my SSH activity to be logged somewhere other than in the general auth.log file.

Scenario: Ubuntu 10.04, OpenSSH, regular/default rsyslog daemon.


  1. create a new directive for SSH in /etc/rsyslog.d
    :: echo ‘local6.debug /var/log/sshd.log’ > 30-sshd.conf

    1. this makes anything set to log at level LOCAL6 to log to /var/log/sshd.log
    2. this only works if there is nothing else using LOCAL6… it’s possible there is at which point a different LOCALx can be used or some real hacking can be done (not the scope of this post!)
    3. it seems that it’s possible that all this can be done with syslog, not rsyslog, if that’s what a given system is set-up to use.  It looks like, from my searching around, that rsyslog used to be monikered syslog
  2. edit /etc/ssh/sshd_config to point SSH activity to the newly created LOCAL6
    1. Change SyslogFacility from AUTH (the default) to LOCAL6 (per above)
  3. restart both the ssh and rsyslog services
    :: sudo service ssh restart && sudo service rsyslog restart

I ran a tail on the log file ( tail -f /var/log/sshd.log ) and ssh’ed into the box… voila!  Nothing but SSH activity!

It should be noted that PAM activity was still being sent to /var/log/auth.log.  It was all but redundant with sshd.log so I’m fine with that.

  1. […] to add message that will be read with dmesg?Synology: SSHD – LogLevel?DISSECTION BY DAVID BLOG: SSH log file — making one, new locationUbuntu Documentation: SSHOpenSSHKeysLHN: Quick HOWTO : Ch05 : Troubleshooting Linux with syslogRed […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s