How to view SSH logs?

Viewing SSH (Secure Shell) logs is an important functionality that allows admins to monitor user activity. SSH logs provide an account of user access activities and the times at which they accessed the system. Admins need to monitor, troubleshoot, and be aware of every improper SSH command that is executed, and SSH logs assist them in monitoring these commands and all other SSH requests.

Monitoring SSH logs not only enhances security but also plays a crucial role in meeting regulatory compliance requirements for SOC 2, SOX, and other compliance standards. The monitoring and reviewing of SSH logs demonstrate an organization’s ability to meet requirements related to robust data protection, access control, and auditability, which are critical components of SOX and SOC 2 compliance

This article will explain how to view SSH logs on your Linux machines.

Examples of SSH logs

SSH logs come in handy when you want to find out who is accessing or is trying to access your Linux SSH servers. The logs follow the typical logfile format containing:

TIMESTAMP HOSTNAME APPLICATION[PROCESS_ID]: MESSAGE

Here are a few examples of different SSH log command outputs:

A successful password-based login

2023-08-01T10:06:46.337683+05:30 kali sshd[12877]: Accepted password for alice from 192.168.1.8 port 51020 ssh2`

The logline above shows:

1. A successful password authentication
2. from 192.168.1.8
3. by user alice

A failed password-based login

Aug 01 12:34:32 kali sshd[22806]: Failed password for bob from 192.168.1.8 port 55786 ssh2

The logline above shows:

1. A failed password authentication
2. from 192.168.1.8
3. by user bob

A failed unknown user login

Oct 18 08:38:12 ip-172-31-28-116.us-east-2.compute.internal sshd[13416]: Invalid user admin from 125.139.58.175 port 58504
Oct 18 08:38:12 ip-172-31-28-116.us-east-2.compute.internal sshd[13416]: input_userauth_request: invalid user admin [preauth]
Oct 18 08:38:12 ip-172-31-28-116.us-east-2.compute.internal sshd[13416]: Connection closed by 125.139.58.175 port 58504 [preauth]

The logline above shows:

1. a failed user logon
2. from 125.139.58.175
3. A logon attempt for a non-existing user admin

Note - Public SSH must be denied to mitigate the risk of attacks and bastion hosts or alternative solutions must be used to access infrastructure resources. 💡

Viewing the SSH logs

There are two pathways to viewing these logs: via the /var/log/auth.log file or using the commandjournalctl -u ssh. Almost all the new Linux systems come with systemd allowing the use of journalctl -u ssh command whereas in the older systems, /var/log/auth.log can be used to access the SSH logs.

Auth.log

The auth.log file in /var/log directory tracks authorization, which includes remote logins via SSH. You can use the below command to view SSH logs:

$ cat /var/log/auth.log
...
2023-08-01T10:06:46.337683+05:30 kali sshd[12877]: Accepted password for jdoe from 192.168.1.8 port 51020 ssh2 
2023-08-01T10:06:46.339657+05:30 kali sshd[12877]: pam_unix(sshd:session): session opened for user jdoe(uid=1000) by (uid=0)  
... 
2023-08-01T10:06:46.394737+05:30 kali sshd[12877]: pam_env(sshd:session): deprecated reading of user environment enabled

Journalctl

The journalctl command provides an alternate pathway to viewing logs from sshd. The following shows the same sshd logs as were found in /var/log/auth.log above.

$ journalctl -u ssh
...
Aug 01 10:06:46 kali sshd[12877]: Accepted password for jdoe from 192.168.1.8 port 51020 ssh2
Aug 01 10:06:46 kali sshd[12877]: pam_unix(sshd:session): session opened for user jdoe(uid=1000) by (uid=0)
Aug 01 10:06:46 kali sshd[12877]: pam_env(sshd:session): deprecated reading of user environment enabled

The journalctl command is used to query the systemd journal. The -u option is used to specify which unit must be queried, which is ssh or sshd in this case.

Conclusion

SSH logs are an authentic source of information when tracing remote SSH attempts and can guide the planning for additional layers of infrastructure security. By regularly monitoring SSH logs, you can detect and respond to security threats, troubleshoot SSH-related issues, and ensure compliance with relevant regulations.

The methods mentioned in this article provide two different ways to access and review SSH logs, depending on your system's configuration. Implementing robust log monitoring practices will help you keep your server secure and operational.

See Also

1. How to set up an AWS Bastion host or a Jump server
2. Sharing infrastructure access with developers