Where are my sshd logs?
Solution 1
I have found the output of sshd and other core services in 'journalctl'.
See more at the Arch Wiki entry for systemd:
https://wiki.archlinux.org/index.php/Systemd/Journal
Solution 2
Try this command to view the log from systemctl:
journalctl -u sshd | tail -n 100
Solution 3
A better way to see the last part of the log is:
journalctl -u sshd -n 100
Using tail
on the output of journalctl
can be very slow. It took 5 minutes on a machine where I tried it, while the above command returns instantly.
Solution 4
You should be able to filter messages from sshd
using:
journalctl -u ssh
or (depending on your distribution)
journalctl -u sshd
which will show logs in a less
style format (you can search /
, navigate via PgUp, PgDown etc.).
-e
brings you to the end of logs.-u
parameter filters through meta field_SYSTEMD_UNIT
which is (at least on Debian) set tossh.service
, thussshd
won't match.-f
follows logs in real-time-n 100
displays given number of lines (useful with-f
)
Alternatively you can use meta-fields filtering:
journalctl _COMM=sshd
You can display whole journal record with all meta-fields by exporting to JSON:
journalctl -u ssh -o json-pretty
that would give you something like:
...
"_PID" : "7373",
"_COMM" : "sshd",
"_EXE" : "/usr/sbin/sshd",
"_SYSTEMD_CGROUP" : "/system.slice/ssh.service",
"_SYSTEMD_UNIT" : "ssh.service",
...
In case you wonder how to display only kernel messages:
journalctl -k -f
Solution 5
Take a look at your syslog configuration. Most probalby /etc/syslog.conf
or /etc/rsyslog.conf
You should look for lines with auth
for example in my config:
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
Related videos on Youtube
HXCaine
Updated on September 18, 2022Comments
-
HXCaine almost 2 years
I can't find my sshd logs in the standard places.
What I've tried:
- Not in
/var/log/auth.log
- Not in
/var/log/secure
- Did a system search for
'auth.log'
and found nothing - I've set
/etc/ssh/sshd_config
to explicitly useSyslogFacility AUTH
andLogLevel INFO
and restarted sshd and still can't find them.
I'm using OpenSSH 6.5p1-2 on Arch Linux.
-
Romain Vincent about 4 yearsI could not find logs in the journalctl but found them in /var/log/auth.log thanks to your question. <insert funny face here>
- Not in
-
HXCaine over 10 yearsNeither of those files exists. I believe those files are created by syslog-ng whereas Arch has replaced that with systemd
-
user1579506 over 9 yearsThis doesn't seem to work, but
journalctl _COMM=sshd
does. -
werkritter over 8 yearsAh, yes - systemctl being completely consistent and predictable as usual.
-
bzeaman over 8 yearsYou can use the
-f
option to follow the log:journalctl -fu sshd
-
Ortomala Lokni over 6 yearsDo you have an explanation for this strange syntax (
journalctl _COMM=sshd
)? -
Tombart over 6 years@OrtomalaLokni
-u
filters through metadata field_SYSTEMD_UNIT
which is on Debian set tossh.service
. All params starting with underscore are accessing metafiels. In similar manner you can filter via_PID
or_TRANSPORT
. -
Salem F about 6 yearsIn Scientific Linux authpriv.* point to
authpriv.* /var/log/secure
inside the file/etc/rsyslog.conf
-
bobpaul about 6 yearswingedsubmariner - I know it's been almost 4 years, but... do you remember what distro you were on at the time? I suspect the unit file on your distro was called "openssh" or just "ssh" rather than "sshd". The thing with the systemd project is they consider distros to be their users, and distros are free to use whatever names they want for unit files (like Debian calls apache's webserver
apache2
while RedHat calls ithttpd
). -
Zeiad98 over 3 years
journalctl -t sshd -e
-
Erasmus almost 3 yearsOn my Raspberry Pi, the service was called ssh.service, so the command is:
journalctl -u ssh.service