98

I can't find my sshd logs in the standard places.

What I've tried:

  • Not in /var/log/auth.log
  • Not in /var/log/secure
  • Did a system search for 'auth.log' and found nothing
  • I've set /etc/ssh/sshd_config to explicitly use SyslogFacility AUTH and LogLevel INFO and restarted sshd and still can't find them.

I'm using OpenSSH 6.5p1-2 on Arch Linux.

Improve this question
1
  • 1
    I could not find logs in the journalctl but found them in /var/log/auth.log thanks to your question. <insert funny face here>
    – Romain Vincent
    Commented May 3, 2020 at 16:38

5 Answers 5

Reset to default
86

Try this command to view the log from systemctl:

journalctl -u sshd | tail -n 100
Improve this answer
6
  • 63
    This doesn't seem to work, but journalctl _COMM=sshd does.
    – wingedsubmariner
    Commented Oct 21, 2014 at 5:19
  • 12
    Ah, yes - systemctl being completely consistent and predictable as usual.
    – user3356
    Commented Dec 12, 2015 at 19:49
  • 10
    You can use the -f option to follow the log: journalctl -fu sshd
    – bzeaman
    Commented Apr 1, 2016 at 20:45
  • 1
    wingedsubmariner - I know it's been almost 4 years, but... do you remember what distro you were on at the time? I suspect the unit file on your distro was called "openssh" or just "ssh" rather than "sshd". The thing with the systemd project is they consider distros to be their users, and distros are free to use whatever names they want for unit files (like Debian calls apache's webserver apache2 while RedHat calls it httpd).
    – bobpaul
    Commented May 25, 2018 at 16:41
  • 5
    journalctl -t sshd -e
    – RedEyed
    Commented Feb 23, 2021 at 12:53
47

A better way to see the last part of the log is:

journalctl -u sshd -n 100

Using tail on the output of journalctl can be very slow. It took 5 minutes on a machine where I tried it, while the above command returns instantly.

Improve this answer
1
  • 3
    And you don't lose line coloring! Should be top solution imo
    – kuzyn
    Commented Apr 14, 2017 at 1:13
25

You should be able to filter messages from sshd using:

journalctl -u ssh

or (depending on your distribution)

journalctl -u sshd

which will show logs in a less style format (you can search /, navigate via PgUp, PgDown etc.).

  • -e brings you to the end of logs.
  • -u parameter filters through meta field _SYSTEMD_UNIT which is (at least on Debian) set to ssh.service, thus sshd won't match.
  • -f follows logs in real-time
  • -n 100 displays given number of lines (useful with -f)

Alternatively you can use meta-fields filtering:

journalctl _COMM=sshd

You can display whole journal record with all meta-fields by exporting to JSON:

journalctl -u ssh -o json-pretty

that would give you something like:

    ...
    "_PID" : "7373",
    "_COMM" : "sshd",
    "_EXE" : "/usr/sbin/sshd",
    "_SYSTEMD_CGROUP" : "/system.slice/ssh.service",
    "_SYSTEMD_UNIT" : "ssh.service",
    ...

In case you wonder how to display only kernel messages:

journalctl -k -f
Improve this answer
2
  • Do you have an explanation for this strange syntax (journalctl _COMM=sshd)?
    – Ortomala Lokni
    Commented Jan 5, 2018 at 7:49
  • @OrtomalaLokni -u filters through metadata field _SYSTEMD_UNIT which is on Debian set to ssh.service. All params starting with underscore are accessing metafiels. In similar manner you can filter via _PID or _TRANSPORT.
    – Tombart
    Commented Jan 8, 2018 at 18:59
11

I have found the output of sshd and other core services in 'journalctl'.

See more at the Arch Wiki entry for systemd:

https://wiki.archlinux.org/index.php/Systemd/Journal

Improve this answer
0
1

Take a look at your syslog configuration; most probably /etc/syslog.conf or /etc/rsyslog.conf.  You should look for lines with auth.  For example, in my config:

auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
Improve this answer
2
  • 5
    Neither of those files exists. I believe those files are created by syslog-ng whereas Arch has replaced that with systemd
    – HXCaine
    Commented Feb 8, 2014 at 13:29
  • In Scientific Linux authpriv.* point to authpriv.* /var/log/secure inside the file /etc/rsyslog.conf
    – Salem F
    Commented May 25, 2018 at 10:31

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .