How to view, setup and analyze sshd(Secure shell daemon) logs in redhat or centos linux ?

In this article, we will look how to view, analyze and setup SSHD logs on our Redhat or Centos Linux system.

1. Viewing SSHD Log file.

## For Ubuntu
[root@nglinux ~]# ls -l /var/log/auth.log
ls: cannot access /var/log/auth.log: No such file or directory

## For Redhat or Centos
[root@nglinux ~]# ls -l /var/log/secure
-rw-------. 1 root root 0 May 30 20:36 /var/log/secure

2. Check out the logs in logfile

[root@nglinux ~]# cat /var/log/secure
[root@nglinux ~]# 

We can see there are no logs in the file.
It seems the SSH logging is disabled on the server.
Lets check it out.

[root@nglinux ~]# cat /etc/ssh/sshd_config | grep -iA 4 logging
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

In above output, we can see “Loglevel INFO” is commented out, due to which the logging is not captured.


3. Setup SSH Log: Enable logging and restart service.

## Uncomment Loglevel line below
[root@nglinux ~]# cat /etc/ssh/sshd_config | grep -iA 4 logging
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel INFO
[root@nglinux ~]# 

[root@nglinux ~]# vim /etc/ssh/sshd_config 
[root@nglinux ~]# 

## And then restart the service.
[root@nglinux ~]# service sshd reload
Reloading sshd:                                            [  OK  ]

 

4. Verify if logs started to appear in Log file.

[root@nglinux ~]# cat /var/log/secure
May 31 01:54:09 localhost sshd[1796]: Received SIGHUP; restarting.
May 31 01:54:09 localhost sshd[28471]: Server listening on 0.0.0.0 port 22.
May 31 01:54:09 localhost sshd[28471]: Server listening on :: port 22.
[root@nglinux ~]# 

5. Understanding ssh login attempt history

[root@nglinux ~]# cat /var/log/secure
May 31 01:54:09 localhost sshd[1796]: Received SIGHUP; restarting.
May 31 01:54:09 localhost sshd[28471]: Server listening on 0.0.0.0 port 22.
May 31 01:54:09 localhost sshd[28471]: Server listening on :: port 22.
May 31 01:56:48 localhost sshd[4267]: Received disconnect from 172.21.49.223: 11: disconnected by user      --> Logged out the session.
May 31 01:56:48 localhost sshd[4267]: pam_unix(sshd:session): session closed for user root
May 31 01:56:52 localhost sshd[28476]: Accepted password for root from 172.21.49.223 port 57163 ssh2       ---> User login from IP 172.21.49.223 via port 57163
May 31 01:56:53 localhost sshd[28476]: pam_unix(sshd:session): session opened for user root by (uid=0)
May 31 01:56:53 localhost sshd[28480]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
May 31 01:56:53 localhost sshd[28480]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
May 31 01:56:54 localhost sshd[28476]: Received disconnect from 172.21.49.223: 11: disconnected by user
May 31 01:56:54 localhost sshd[28476]: pam_unix(sshd:session): session closed for user root
May 31 01:56:56 localhost unix_chkpwd[28504]: password check failed for user (root)                     ----> wrong password entered by user.
May 31 01:56:56 localhost sshd[28502]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.21.49.223  user=root
May 31 01:56:58 localhost sshd[28502]: Failed password for root from 172.21.49.223 port 57164 ssh2
May 31 01:57:00 localhost sshd[28502]: Accepted password for root from 172.21.49.223 port 57164 ssh2
May 31 01:57:00 localhost sshd[28502]: pam_unix(sshd:session): session opened for user root by (uid=0)
May 31 01:57:00 localhost sshd[28507]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
May 31 01:57:00 localhost sshd[28507]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory
“SyslogFacility AUTH” logs the messages into /var/log/messages.
“SyslogFacility AUTHPRIV” logs the messages into separate file, /var/log/secure in our case.

syslog.conf or rsyslog.conf file mentions the filename as shown below.
/etc/rsyslog.conf:45:authpriv.*

[root@nglinux ~]# cat /etc/ssh/sshd_config | grep -iA 4 logging
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel INFO

Leave a Reply

avatar
  Subscribe  
Notify of