Where is the sshd log file on Red Hat Linux stored?
Solution 1
Login records are usually in /var/log/secure. I don't think there is a log specific to the SSH daemon process, unless you've broken it out from other syslog messages.
Solution 2
In addition to @john answer, some distributions are now using journalctl by default. If that's your case, you're probably able to see sshd
activity through:
_> journalctl _COMM=sshd
You will see output like this:
Abr 15 02:28:17 m sshd[26284]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Abr 15 02:28:18 m sshd[26284]: Failed password for root from 127.0.0.1 port **** ssh2
Abr 15 02:28:19 m sshd[26284]: Connection closed by 127.0.0.1 [preauth]
Abr 15 02:28:25 m sshd[26296]: Accepted password for **** from 127.0.0.1 port **** ssh2
Abr 15 02:28:25 m sshd[26296]: pam_unix(sshd:session): session opened for user **** by (uid=0)
Abr 15 02:28:28 m sshd[26301]: Received disconnect from 127.0.0.1: 11: disconnected by user
Abr 15 02:28:58 m sshd[26231]: Received signal 15; terminating.
Abr 15 02:28:58 m sshd[26828]: Server listening on 0.0.0.0 port 22.
Solution 3
The log is in fact located at /var/log/secure on RHEL systems. A SSHD connection will look something like this;
Jan 10 09:49:04 server sshd[28651]: Accepted publickey for [username] from x.x.x.x port 61000 ssh2
Jan 10 09:49:04 server sshd[28651]: pam_unix(sshd:session): session opened for user [username] by (uid=0)
The most important part for determining whether or not your account has been compromised is the IP Address.
Solution 4
If you are using RHEL/CentOS 7, your system will be using systemd, and therefore journalctl. As mentioned above, you can use the journalctl _COMM=sshd
. However, you should also be able to view this with the following command:
# journalctl -u sshd
You can verify your version of redhat by the following command as well:
# cat /etc/*release
This will show you version information about your version of linux.
Related videos on Youtube
user150591
Updated on September 18, 2022Comments
-
user150591 over 1 year
Can someone please tell me where to find the SSHD log on RedHat and SELinux.... I would like to view the log to see who is logging into my account..
-
EEAA over 11 yearsSheesh - if you have to ask "who is logging into my account", it's already game over. See How do I deal with a compromised server.
-
iSee almost 10 yearsGiven the fact that RHEL7 will use a different logging system, could you add a tag with the specific version you're using?
-
-
marcio almost 10 years/var/log/secure is not there... is it a bad sign?
-
John almost 10 yearsIf you're on Red Hat Enterprise Linux, Fedora, or a RHEL derivative like CentOS, then yes, this is a bad sign. Something is wrong.
-
marcio almost 10 yearsI've read that fedora uses journalctl instead of
/var/log/secure
. Withjournalctl _COMM=sshd
I could see all ssh activity and everything seems fine :D -
iSee almost 10 yearsThere's also
journalctl _SYSTEMD_UNIT=sshd.service
the difference being that it will get only the logs for the service excluding any other possible sshd instances (for example someone runs another SSH server in parallel).