Problem: I’d like my SSH activity to be logged somewhere other than in the general auth.log file.
- create a new directive for SSH in /etc/rsyslog.d
:: echo ‘local6.debug /var/log/sshd.log’ > 30-sshd.conf
- this makes anything set to log at level LOCAL6 to log to /var/log/sshd.log
- this only works if there is nothing else using LOCAL6… it’s possible there is at which point a different LOCALx can be used or some real hacking can be done (not the scope of this post!)
- it seems that it’s possible that all this can be done with syslog, not rsyslog, if that’s what a given system is set-up to use. It looks like, from my searching around, that rsyslog used to be monikered syslog
- edit /etc/ssh/sshd_config to point SSH activity to the newly created LOCAL6
- Change SyslogFacility from AUTH (the default) to LOCAL6 (per above)
- restart both the ssh and rsyslog services
:: sudo service ssh restart && sudo service rsyslog restart
I ran a tail on the log file ( tail -f /var/log/sshd.log ) and ssh’ed into the box… voila! Nothing but SSH activity!
It should be noted that PAM activity was still being sent to /var/log/auth.log. It was all but redundant with sshd.log so I’m fine with that.