Where to Find sshd Logs in Linux?

The “sshd” is an abbreviation of the “Secure Shell Daemon” of an OpenSSH server. It manages incoming connections utilizing the SSH protocol as a server. It also allows the user to access the details like encryption, file transfers, terminal connections, tunneling, and user authentication. The “sshd-logs” handles the user authentication details, i.e., authorized/unauthorized login attempts.

This post illustrates the sshd logs’ exact location and how the user can check them in Ubuntu.

Method 1: Using the “auth.log” File

The “sshd logs” are in the “auth.log” file which is located in the “/var/log/” directory. It stores the authorization attempts details of the system like user logins, used authorized mechanism, and sshd logs. 

Run the “grep” to filter out the “sshd logs” details from the “/var/log/auth.log” file:

$ grep ‘sshd’ /var/log/secure                      #For Fedora/CentOS/RHEL
$ grep ‘sshd’ /var/log/auth.log                    #For Ubuntu/Debian-Based

The output shows all the “sshd” sessions details such as date, hostname, logname, port no and many others with the process ID “28569”.

Method 2: Using the “lastlog” Command

The “lastlog” command line utility is a program that displays the last login attempts details of the system accounts. The login details include port, login name, last login, and also the sshd logs.

Execute the “lastlog” command without any of its supported flags to list down the “sshd logs” details:

$ lastlog

All the login attempts information has been displayed on the terminal.

To filter out only the “sshd logs” details, use the combination of “lastlog” and “grep” commands with the “|(Pipe)” character in this way:

$ lastlog | grep sshd

The “sshd logs” contains no logged-in attempts.

Method 3: Using the “journalctl” Command

The “journalctl” is another command line tool that provides the log (including sshd logs) details of the systemd journaling system. It provides the systemd logs collection and systemd services and gets the messages from the kernel.

Use the “journalctl” command followed by the “-u(specifies unit “systemd”)” flag to show the “sshd logs” in the terminal:

$ journalctl -u sshd

The “sshd logs” contains “No entries” same as the “lastlog” output.

Conclusion

In Linux, the “sshd logs” are stored in the “/var/log/auth.log” file. These log details can be displayed using the “grep”, “lastlog”, and the “journalctl” command line utilities. All these utilities are pre-installed in the commonly used Linux distribution like “Fedora”, “CentOS”, “RHEL”, “Ubuntu/Debian”, and many others.

This post has listed down the sshd logs’ exact location and all possible methods to view them.