14

How do I change the sshd logging file location on CentOS? sshd logs to /var/log/messages instead of /var/log/secure. How can I change the setting so sshd will stop sending logs to /var/log/messages?

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
Jidrick
  • 189
  • 2
  • 2
  • 7
  • 1
    You keep writing `/var/log/message` is that really the location? It's generally `/var/log/messages`. – slm Feb 19 '14 at 04:25
  • 1
    @slm [here](http://unix.stackexchange.com/q/115822/33055) it was `/var/log/messages`, maybe OP has both ;-) – Anthon Feb 19 '14 at 04:45
  • On my ubuntu system, the ssh log is in `/var/log/auth.log` – Eric Oct 10 '15 at 03:50

2 Answers2

18

Please post your sshd_config something else would seem to be up. A stock CentOS system always logs to /var/log/secure.

Example

$ sudo tail -f /var/log/secure
Feb 18 23:23:34 greeneggs sshd[3545]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Feb 18 23:23:36 greeneggs sshd[3545]: Failed password for root from ::1 port 46401 ssh2
Feb 18 23:23:42 greeneggs unix_chkpwd[3555]: password check failed for user (root)
Feb 18 23:23:42 greeneggs sshd[3545]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Feb 18 23:23:43 greeneggs sshd[3545]: Failed password for root from ::1 port 46401 ssh2
Feb 18 23:23:48 greeneggs sshd[3545]: Accepted password for root from ::1 port 46401 ssh2
Feb 18 23:23:48 greeneggs sshd[3545]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 18 23:24:05 greeneggs sshd[3545]: Received disconnect from ::1: 11: disconnected by user
Feb 18 23:24:05 greeneggs sshd[3545]: pam_unix(sshd:session): session closed for user root
Feb 18 23:27:15 greeneggs sudo:     saml : TTY=pts/3 ; PWD=/home/saml ; USER=root ; COMMAND=/bin/tail /var/log/secure

This is controlled through /etc/ssh/sshd_config:

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

As well as the contents of /etc/rsyslog.conf:

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

Your issue

In one of your comments you mentioned that your rsyslogd config file was named /etc/rsyslog.config. That isn't the correct name for this file, and is likely the reason your logging is screwed up. Change the name of this file to /etc/rsyslog.conf and then restart the logging service.

$ sudo service rsyslog restart
slm
  • 363,520
  • 117
  • 767
  • 871
  • Thanks, I wondered, if "SyslogFacility AUTHPRIV" is commented out. How does sshd know what the defaults are? Are the defaults stored at some place you can edit? – Jidrick Feb 19 '14 at 06:28
  • The defaults are in the source code that was used to compile the `sshd` executable file. If you want to _override_ the defaults, you can give `sshd` command-line options or edit its config file. – Mark Plotnick Feb 19 '14 at 13:03
  • @MarkPlotnick - yes as is typically done in configuration files (as seen above) the defaults are shown in the config file but are then commmented out. So `ssh` was compiled so that `LogLevel` was set to `INFO` by default. To overrride it you need to uncomment that line and then change its value. – slm Feb 19 '14 at 13:43
3

Default sshd syslog facility is AUTH, so it will be logged in syslog to /var/log/messages.

To make sshd log to new file, you can change it syslog facility to something others, then config syslog to log this new facility to new file, i.e:

In sshd_config, add this line:

SyslogFacility AUTHPRIV

Then in syslog.conf:

authpriv.* /var/log/secure
slm
  • 363,520
  • 117
  • 767
  • 871
cuonglm
  • 150,973
  • 38
  • 327
  • 406