Where is the sshd log file on Red Hat Linux stored?

linux ssh redhat selinux

119,715

Solution 1

Login records are usually in /var/log/secure. I don't think there is a log specific to the SSH daemon process, unless you've broken it out from other syslog messages.

Solution 2

In addition to @john answer, some distributions are now using journalctl by default. If that's your case, you're probably able to see sshd activity through:

_> journalctl _COMM=sshd

You will see output like this:

Abr 15 02:28:17 m sshd[26284]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Abr 15 02:28:18 m sshd[26284]: Failed password for root from 127.0.0.1 port **** ssh2
Abr 15 02:28:19 m sshd[26284]: Connection closed by 127.0.0.1 [preauth]
Abr 15 02:28:25 m sshd[26296]: Accepted password for **** from 127.0.0.1 port **** ssh2
Abr 15 02:28:25 m sshd[26296]: pam_unix(sshd:session): session opened for user **** by (uid=0)
Abr 15 02:28:28 m sshd[26301]: Received disconnect from 127.0.0.1: 11: disconnected by user
Abr 15 02:28:58 m sshd[26231]: Received signal 15; terminating.
Abr 15 02:28:58 m sshd[26828]: Server listening on 0.0.0.0 port 22.

Solution 3

The log is in fact located at /var/log/secure on RHEL systems. A SSHD connection will look something like this;

Jan 10 09:49:04 server sshd[28651]: Accepted publickey for [username] from x.x.x.x port 61000 ssh2
Jan 10 09:49:04 server sshd[28651]: pam_unix(sshd:session): session opened for user [username] by (uid=0)

The most important part for determining whether or not your account has been compromised is the IP Address.

Solution 4

If you are using RHEL/CentOS 7, your system will be using systemd, and therefore journalctl. As mentioned above, you can use the journalctl _COMM=sshd. However, you should also be able to view this with the following command:

# journalctl -u sshd

You can verify your version of redhat by the following command as well:

# cat /etc/*release

This will show you version information about your version of linux.

View more solutions

119,715

user150591

Updated on September 18, 2022

Comments

user150591 over 1 year

Can someone please tell me where to find the SSHD log on RedHat and SELinux.... I would like to view the log to see who is logging into my account..
- EEAA over 11 years
  
  Sheesh - if you have to ask "who is logging into my account", it's already game over. See How do I deal with a compromised server.
- iSee almost 10 years
  
  Given the fact that RHEL7 will use a different logging system, could you add a tag with the specific version you're using?
marcio almost 10 years

/var/log/secure is not there... is it a bad sign?
John almost 10 years

If you're on Red Hat Enterprise Linux, Fedora, or a RHEL derivative like CentOS, then yes, this is a bad sign. Something is wrong.
marcio almost 10 years

I've read that fedora uses journalctl instead of /var/log/secure. With journalctl _COMM=sshd I could see all ssh activity and everything seems fine :D
iSee almost 10 years

There's also journalctl _SYSTEMD_UNIT=sshd.service the difference being that it will get only the logs for the service excluding any other possible sshd instances (for example someone runs another SSH server in parallel).