Home / server / Questions / 130482
Accepted
grigoryvp
Asked: 2010-04-09 02:22:10 +0800 CST

How to check sshd log?

  • 772

I have Ubuntu 9.10 installed with sshd and I can successfully connect to it using login and password. I have configured an RSA key login and now have "Server refused our key" as expected. Ok, now I want to check sshd log in order to figure out a problem. I have examined /etc/ssh/sshd_config and it have

SyslogFacility AUTH
LogLevel INFO

Ok. I'm looking at /var/log/auth.log and... it's empty O_O. Changing Loglevel to VERBOSE helps nothing - auth.log is still empty. Any hints how I can check sshd log?

ssh

8 Answers

  1. Creating an answer based on the comments above, credit to @Prof. Moriarty and @Eye of Hell

    SSH auth failures are logged here /var/log/auth.log

    The following should give you only ssh related log lines:

    grep 'sshd' /var/log/auth.log

    To be on the safe side, get the last few hundred lines and then search (because if the log file is too large, grep on the whole file would consume more system resources, not to mention will take longer to run)

    View sshd entries in the last 500 lines of the log:

    tail -n 500 /var/log/auth.log | grep 'sshd'

    or to follow the log output as you test:

    tail -f -n 500 /var/log/auth.log | grep 'sshd'
    • 224

  2. If you can try the failing connection again easily, one way easy way is to start an SSH server on a free port such as 2222:

    /usr/sbin/sshd -d -p 2222

    and then retry the connection with:

    ssh -p 2222 user@host

    By using the different port -p 2222, we don't have to stop the main SSH server, which could lock us out.

    See also: https://unix.stackexchange.com/a/55481/32558

    • 40

  3. The modern way to view logs:

    1. All messages about sshd:
      journalctl -t sshd
      or
      journalctl -u ssh where -u == unit

    2. Messages about sshd from the last boot:
      journalctl -t sshd -b0

    3. Messages about sshd from the last boot in the reverse order:
      journalctl -t sshd -b0 -r

    • 34
  4. Best Answer

    If no one else is using the system at the moment you could do what i've done in such cases:

    • stop sshd service (at least i've been able to do this while logged in via ssh)
    • start sshd manually and add some -d options to get more verbose debug output. Unless you have something funky going on it should use the same keys and config it does when started properly
    • 11

  5. If you want to see all log messages about sshd, run this:

    grep -rsh sshd /var/log |sort
    • 7

  6. You can use the following command to see the logs from SSH:

    tail -f /var/log/auth.log
    • 4

  7. Not for topicstarter, but for another opensuse tumbleweed users:

    systemctl status sshd.service
journalctl -xeu sshd.service

    The first gives you the status and time of fault:

     sshd.service - OpenSSH Daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Wed 2022-06-15 19:15:20 MSK; 10min ago

    The second may give you more details, something like:

    Jun 15 19:15:19 localhost.localdomain sshd[2124]: 
/etc/ssh/sshd_config.d/sshd.conf line 121: Directive 'usepam' is not allowed within a Match block
    • 0

  8. In CentOS 7. I have found out SSH logs over here:

    $ tail /var/log/audit/audit.log
    • -2