Where are my sshd logs?
Solution 1
I have found the output of sshd and other core services in 'journalctl'.
See more at the Arch Wiki entry for systemd:
https://wiki.archlinux.org/index.php/Systemd/Journal
Solution 2
Try this command to view the log from systemctl:
journalctl -u sshd | tail -n 100
Solution 3
A better way to see the last part of the log is:
journalctl -u sshd -n 100
Using tail on the output of journalctl can be very slow. It took 5 minutes on a machine where I tried it, while the above command returns instantly.
Solution 4
You should be able to filter messages from sshd using:
journalctl -u ssh
or (depending on your distribution)
journalctl -u sshd
which will show logs in a less style format (you can search /, navigate via PgUp, PgDown etc.).
-ebrings you to the end of logs.-uparameter filters through meta field_SYSTEMD_UNITwhich is (at least on Debian) set tossh.service, thussshdwon't match.-ffollows logs in real-time-n 100displays given number of lines (useful with-f)
Alternatively you can use meta-fields filtering:
journalctl _COMM=sshd
You can display whole journal record with all meta-fields by exporting to JSON:
journalctl -u ssh -o json-pretty
that would give you something like:
...
"_PID" : "7373",
"_COMM" : "sshd",
"_EXE" : "/usr/sbin/sshd",
"_SYSTEMD_CGROUP" : "/system.slice/ssh.service",
"_SYSTEMD_UNIT" : "ssh.service",
...
In case you wonder how to display only kernel messages:
journalctl -k -f
Solution 5
Take a look at your syslog configuration. Most probalby /etc/syslog.conf or /etc/rsyslog.conf You should look for lines with auth for example in my config:
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
Related videos on Youtube
03 : 17
02 : 33
05 : 34
03 : 27
02 : 44
HXCaine
Updated on September 18, 2022Comments
-
HXCaine almost 2 years
I can't find my sshd logs in the standard places.
What I've tried:
- Not in
/var/log/auth.log - Not in
/var/log/secure - Did a system search for
'auth.log'and found nothing - I've set
/etc/ssh/sshd_configto explicitly useSyslogFacility AUTHandLogLevel INFOand restarted sshd and still can't find them.
I'm using OpenSSH 6.5p1-2 on Arch Linux.
-
Romain Vincent about 4 yearsI could not find logs in the journalctl but found them in /var/log/auth.log thanks to your question. <insert funny face here>
- Not in
-
HXCaine over 10 yearsNeither of those files exists. I believe those files are created by syslog-ng whereas Arch has replaced that with systemd
-
user1579506 over 9 yearsThis doesn't seem to work, but
journalctl _COMM=sshddoes. -
werkritter over 8 yearsAh, yes - systemctl being completely consistent and predictable as usual. -
bzeaman over 8 yearsYou can use the
-foption to follow the log:journalctl -fu sshd -
Ortomala Lokni over 6 yearsDo you have an explanation for this strange syntax (
journalctl _COMM=sshd)? -
Tombart over 6 years@OrtomalaLokni
-ufilters through metadata field_SYSTEMD_UNITwhich is on Debian set tossh.service. All params starting with underscore are accessing metafiels. In similar manner you can filter via_PIDor_TRANSPORT. -
Salem F about 6 yearsIn Scientific Linux authpriv.* point toauthpriv.* /var/log/secureinside the file/etc/rsyslog.conf -
bobpaul about 6 yearswingedsubmariner - I know it's been almost 4 years, but... do you remember what distro you were on at the time? I suspect the unit file on your distro was called "openssh" or just "ssh" rather than "sshd". The thing with the systemd project is they consider distros to be their users, and distros are free to use whatever names they want for unit files (like Debian calls apache's webserver
apache2while RedHat calls ithttpd). -
Zeiad98 over 3 years
journalctl -t sshd -e -
Erasmus almost 3 yearsOn my Raspberry Pi, the service was called ssh.service, so the command is:
journalctl -u ssh.service
