Where are my sshd logs?

by

I can’t find my sshd logs in the standard places.

What I’ve tried:

  • Not in /var/log/auth.log
  • Not in /var/log/secure
  • Did a system search for 'auth.log' and found nothing
  • I’ve set /etc/ssh/sshd_config to explicitly use SyslogFacility AUTH and LogLevel INFO and restarted sshd and still can’t find them.

I’m using OpenSSH 6.5p1-2 on Arch Linux.

Contents hide
Answers:
Method 1
Method 2
Method 3
Method 4
Method 5

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Try this command to view the log from systemctl:

journalctl -u sshd | tail -n 100

Method 2

A better way to see the last part of the log is:

journalctl -u sshd -n 100

Using tail on the output of journalctl can be very slow. It took 5 minutes on a machine where I tried it, while the above command returns instantly.

Method 3

You should be able to filter messages from sshd using:

journalctl -u ssh

or (depending on your distribution)

journalctl -u sshd

which will show logs in a less style format (you can search /, navigate via PgUp, PgDown etc.).

  • -e brings you to the end of logs.
  • -u parameter filters through meta field _SYSTEMD_UNIT which is (at least on Debian) set to ssh.service, thus sshd won’t match.
  • -f follows logs in real-time
  • -n 100 displays given number of lines (useful with -f)

Alternatively you can use meta-fields filtering:

journalctl _COMM=sshd

You can display whole journal record with all meta-fields by exporting to JSON:

journalctl -u ssh -o json-pretty

that would give you something like:

    ...
    "_PID" : "7373",
    "_COMM" : "sshd",
    "_EXE" : "/usr/sbin/sshd",
    "_SYSTEMD_CGROUP" : "/system.slice/ssh.service",
    "_SYSTEMD_UNIT" : "ssh.service",
    ...

In case you wonder how to display only kernel messages:

journalctl -k -f

Method 4

I have found the output of sshd and other core services in ‘journalctl’.

See more at the Arch Wiki entry for systemd:

https://wiki.archlinux.org/index.php/Systemd/Journal

Method 5

Take a look at your syslog configuration. Most probalby /etc/syslog.conf or /etc/rsyslog.conf You should look for lines with auth for example in my config:

auth,authpriv.* /var/log/auth.log

*.*;auth,authpriv.none -/var/log/syslog


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x