- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Two of the most important questions in security are: who accessed what, and when did they access it? If you have any Linux or Unix machines, you’ll likely find answers in the sshd log. sshd is the Secure Shell Daemon, which allows remote access to the system. In this article, we’ll look at how to view ssh logs.
Most Linux systems these days ship with systemd, including Ubuntu, Debian, Amazon Linux 2, and CentOS. On these systems, you can view logs via the journalctl command. In our case, we’re interested in the ssh unit:
$ journalctl -u ssh
Mar 25 20:25:36 web0 sshd[14144]: Accepted publickey for ubuntu from 10.103.160.144 port 59200 ssh2: RSA SHA256:l/zFNib1vJ+64nxLB4N9KaVhBEMf8arbWGxHQg01SW8
Mar 25 20:25:36 web0 sshd[14144]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0)
Mar 25 20:39:12 web0 sshd[14885]: pam_unix(sshd:session): session closed for user ubuntu
...
You can see the fingerprint of the SSH key is included in the logs. Failed login attempts will appear like this:
Mar 30 17:10:35 web0 sshd[5561]: Connection closed by authenticating user ubuntu 10.103.160.144 port 38860 [preauth]
If you want to view ssh logs from a specific time range, you can use the since and until flags. Some examples:
$ journalctl -u ssh --since yesterday
$ journalctl -u ssh --since -3d --until -2d # logs from three days ago
$ journalctl -u ssh --since -1h # logs from the last hour
$ journalctl -u ssh --until "2022-03-12 07:00:00"
To watch the ssh logs in realtime, use the follow flag:
$ journalctl -fu ssh
Use Ctrl-C to exit out of the log monitor.
Other methods
On older systems, or systems without systemd, you’ll likely find the sshd log at /var/log/auth.log. You’ll need root permissions to view it, and you’ll probably want to search specifically for sshd logs, like so:
$ sudo grep sshd /var/log/auth.log
If you’re looking for a quick overview of who’s logged in recently rather than an in-depth audit log, try the lastlog command:
$ lastlog
Username Port From Latest
root **Never logged in**
daemon **Never logged in**
bin **Never logged in**
sys **Never logged in**
...
ubuntu pts/0 10.103.160.144 Wed Mar 30 17:52:11 +0000 2022
🕵 Learn how Coveo gained complete visibility across their entire stack with centralized and granular audit logs and simplified compliance audits.
Useful log settings
Knowing how to view ssh logs isn’t much help if the logs you’re looking for haven’t been retained. By default, journald retains logs until they consume up to 10% of available disk space. To change this setting, see the SystemMaxUse setting in the journald documentation.
It’s also recommended to increase the sshd log level from the default. Put this setting in /etc/ssh/sshd_config:
LogLevel VERBOSE
This will include more details in the sshd log, like the PID of the user’s login shell. For debugging purposes, you can also try LogLevel DEBUG.
Conclusion
On most modern systems, journalctl provides a convenient, standardized way to view ssh logs. On other systems, you can find the sshd log at /var/log/auth.log. For quick inspections, you can also use the lastlog command. Lastly, remember to configure your servers with the proper log retention and verbosity settings. Happy ssh’ing!
About the Author
Evan Todd, Senior Software Engineer, has been building technology for over 12 years, working on everything from VR to mobile games to network and security software. He is captivated by a desire to build tools to meet the needs of people first and enjoys sharing his programming adventures via blog posts and speaking events. He holds a B.S. in Computer Science & Engineering from The Ohio State University. To contact Evan, visit him on LinkedIn.