<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

How to View SSH Logs?

strongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

Two of the most important questions in security are: who accessed what, and when did they access it? If you have any Linux or Unix machines, you’ll likely find answers in the sshd log. sshd is the Secure Shell Daemon, which allows remote access to the system. In this article, we’ll look at how to view ssh logs.

Most Linux systems these days ship with systemd, including Ubuntu, Amazon Linux 2, and CentOS. On these systems, you can view logs via the journalctl command. In our case, we’re interested in the ssh unit:

$ journalctl -u ssh
Mar 25 20:25:36 web0 sshd[14144]: Accepted publickey for ubuntu from 10.103.160.144 port 59200 ssh2: RSA SHA256:l/zFNib1vJ+64nxLB4N9KaVhBEMf8arbWGxHQg01SW8
Mar 25 20:25:36 web0 sshd[14144]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0)
Mar 25 20:39:12 web0 sshd[14885]: pam_unix(sshd:session): session closed for user ubuntu
...

You can see the fingerprint of the SSH key is included in the logs. Failed login attempts will appear like this:

Mar 30 17:10:35 web0 sshd[5561]: Connection closed by authenticating user ubuntu 10.103.160.144 port 38860 [preauth]

If you want to view ssh logs from a specific time range, you can use the since and until flags. Some examples:

$ journalctl -u ssh --since yesterday
$ journalctl -u ssh --since -3d --until -2d # logs from three days ago
$ journalctl -u ssh --since -1h # logs from the last hour
$ journalctl -u ssh --until "2022-03-12 07:00:00"

To watch the ssh logs in realtime, use the follow flag:

$ journalctl -fu ssh

Use Ctrl-C to exit out of the log monitor.

Other methods

On older systems, or systems without systemd, you’ll likely find the sshd log at /var/log/auth.log. You’ll need root permissions to view it, and you’ll probably want to search specifically for sshd logs, like so:

$ sudo grep sshd /var/log/auth.log

If you’re looking for a quick overview of who’s logged in recently rather than an in-depth audit log, try the lastlog command:

$ lastlog
Username     Port From       Latest
root                         **Never logged in**
daemon                       **Never logged in**
bin                          **Never logged in**
sys                          **Never logged in**
...
ubuntu       pts/0 10.103.160.144   Wed Mar 30 17:52:11 +0000 2022

Useful log settings

Knowing how to view ssh logs isn’t much help if the logs you’re looking for haven’t been retained. By default, journald retains logs until they consume up to 10% of available disk space. To change this setting, see the SystemMaxUse setting in the journald documentation.

It’s also recommended to increase the sshd log level from the default. Put this setting in /etc/ssh/sshd_config:

LogLevel VERBOSE

This will include more details in the sshd log, like the PID of the user’s login shell. For debugging purposes, you can also try LogLevel DEBUG.

Conclusion

On most modern systems, journalctl provides a convenient, standardized way to view ssh logs. On other systems, you can find the sshd log at /var/log/auth.log. For quick inspections, you can also use the lastlog command. Lastly, remember to configure your servers with the proper log retention and verbosity settings. Happy ssh’ing!


About the Author

, Senior Software Engineer, has been building technology for over 12 years, working on everything from VR to mobile games to network and security software. He is captivated by a desire to build tools to meet the needs of people first and enjoys sharing his programming adventures via blog posts and speaking events. He holds a B.S. in Computer Science & Engineering from The Ohio State University. To contact Evan, visit him on LinkedIn.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

Data Observability: Comprehensive Guide | strongDM
Data Observability Explained
Data observability can help companies understand, monitor, and manage their data across the full tech stack. In this article, you’ll learn what data observability is, the differences between data observability, monitoring, and data quality, and what information you can track with data observability. By the end of this article, you’ll discover how to implement data observability and find the right data observability tools for your organization.
Understanding the Three Pillars of Observability | strongDM
OK, but what are The Three Pillars of Observability?
In this article, we’ll focus on the three pillars of observability. You’ll learn about the definitions, strengths, and limitations of each pillar. By the end of this article, you’ll know about their individual contributions and typical real-world challenges, tying them together for an overall view of your system.
Monitoring vs. Observability: What's The Difference?
Understanding the Difference Between Observability and Monitoring
Observability and monitoring are often used interchangeably, but there are key differences you should know between these two IT terms and the tools that enable them. In this article, we’ll explore the relationship and differences between observability vs. monitoring. Plus, you’ll learn about what makes observability and monitoring different from telemetry and application performance monitoring (APM).
Embracing the New Mindset of Cloud-Native Security
Embracing the New Mindset of Cloud-Native Security
What is a “mindset of cloud-native security”? 🤔 That’s a great question. That’s why Justin McCarthy, CTO and co-founder of strongDM, recently sat down with Mike Vizard at Container Journal and a panel of technology experts to discuss just that—and how to implement it without creating friction.
Log bastion server SSH sessions
How to Configure Bastion Host for SSH Logging | Part 3 - Tutorial
Configure the hosts for logging verbose data, and then send the logs to a cloud provider for long-term storage and access.