How do I change the sshd logging file location on CentOS? sshd logs to /var/log/messages instead of /var/log/secure. How can I change the setting so sshd will stop sending logs to /var/log/messages?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Please post your sshd_config something else would seem to be up. A stock CentOS system always logs to /var/log/secure.
Example
$ sudo tail -f /var/log/secure Feb 18 23:23:34 greeneggs sshd[3545]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Feb 18 23:23:36 greeneggs sshd[3545]: Failed password for root from ::1 port 46401 ssh2 Feb 18 23:23:42 greeneggs unix_chkpwd[3555]: password check failed for user (root) Feb 18 23:23:42 greeneggs sshd[3545]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Feb 18 23:23:43 greeneggs sshd[3545]: Failed password for root from ::1 port 46401 ssh2 Feb 18 23:23:48 greeneggs sshd[3545]: Accepted password for root from ::1 port 46401 ssh2 Feb 18 23:23:48 greeneggs sshd[3545]: pam_unix(sshd:session): session opened for user root by (uid=0) Feb 18 23:24:05 greeneggs sshd[3545]: Received disconnect from ::1: 11: disconnected by user Feb 18 23:24:05 greeneggs sshd[3545]: pam_unix(sshd:session): session closed for user root Feb 18 23:27:15 greeneggs sudo: saml : TTY=pts/3 ; PWD=/home/saml ; USER=root ; COMMAND=/bin/tail /var/log/secure
This is controlled through /etc/ssh/sshd_config:
# Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO
As well as the contents of /etc/rsyslog.conf:
# Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure
Your issue
In one of your comments you mentioned that your rsyslogd config file was named /etc/rsyslog.config. That isn’t the correct name for this file, and is likely the reason your logging is screwed up. Change the name of this file to /etc/rsyslog.conf and then restart the logging service.
$ sudo service rsyslog restart
Method 2
Default sshd syslog facility is AUTH, so it will be logged in syslog to /var/log/messages.
To make sshd log to new file, you can change it syslog facility to something others, then config syslog to log this new facility to new file, i.e:
In sshd_config, add this line:
SyslogFacility AUTHPRIV
Then in syslog.conf:
authpriv.* /var/log/secure
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0