By default in RHEL 6, SSH server logs are sent to /var/log/secure. I want to change this location to a custom one. Is it possible to do that?
I have tried modifying the rsyslog.conf file, but it does not work.
Asked
Active
Viewed 1.7k times
5
-
How did you modify the file? And did you restart rsyslogd after making the change? – derobert Jul 19 '14 at 08:44
3 Answers
4
Choose an unused local facility. For example local3 is not used for any logging in your system. So first edit /etc/sshd_config configuration file.
#SyslogFacility AUTH
SyslogFacility local3
Now configure rsyslog to log local3 logs to a file that you need. Add the following to your /etc/rsyslog.conf .
#Logging sshd to another file. Using local3 facility.
local3.* /SOME/PATH/YOU/WANT/YOUR/SSHD/LOGS/TO-BE.log
Where /SOME/PATH/YOU/WANT/YOUR/SSHD/LOGS/TO-BE.log of course should be replaced by the location of the file where you want to redirect your sshd logs, sensibly I hope that could be /var/log/sshd.log .
Then as usual, restart the service:
service rsyslogd restart
beginer
- 2,648
- 16
- 18
-
Good idea to clarify: [*The only provision for custom facilities are local0 through local7*](https://unix.stackexchange.com/a/21064/163265) – ᴍᴇʜᴏᴠ Aug 30 '18 at 15:30
0
You need to change/add the following line in your /etc/rsyslog.conf file:
authpriv.* /var/log/custom_secure
and restart your rsyslog daemon (service rsyslogd restart).
kenorb
- 20,250
- 14
- 140
- 164
0
You can also specifically isolate sshd log to another file.
Append this line to /etc/rsyslog.conf:
:programname, isequal, "sshd" /var/log/sshd.log
Note that sshd log will be written to both /var/log/secure and /var/log/sshd.log, but this way we can isolate sshd to another file (no polkitd, no sudo, etc.)
EwyynTomato
- 101