94

I can't find my sshd logs in the standard places.

What I've tried:

  • Not in /var/log/auth.log
  • Not in /var/log/secure
  • Did a system search for 'auth.log' and found nothing
  • I've set /etc/ssh/sshd_config to explicitly use SyslogFacility AUTH and LogLevel INFO and restarted sshd and still can't find them.

I'm using OpenSSH 6.5p1-2 on Arch Linux.

oxfist
  • 105
HXCaine
  • 1,169

5 Answers5

82

Try this command to view the log from systemctl:

journalctl -u sshd | tail -n 100
Tom Hale
  • 30,455
smooth
  • 829
  • 58
    This doesn't seem to work, but journalctl _COMM=sshd does. – wingedsubmariner Oct 21 '14 at 05:19
  • 10
    Ah, yes - systemctl being completely consistent and predictable as usual. –  Dec 12 '15 at 19:49
  • 8
    You can use the -f option to follow the log: journalctl -fu sshd – bzeaman Apr 01 '16 at 20:45
  • 1
    wingedsubmariner - I know it's been almost 4 years, but... do you remember what distro you were on at the time? I suspect the unit file on your distro was called "openssh" or just "ssh" rather than "sshd". The thing with the systemd project is they consider distros to be their users, and distros are free to use whatever names they want for unit files (like Debian calls apache's webserver apache2 while RedHat calls it httpd). – bobpaul May 25 '18 at 16:41
  • 4
    journalctl -t sshd -e – RedEyed Feb 23 '21 at 12:53
  • 1
    On my Raspberry Pi, the service was called ssh.service, so the command is: journalctl -u ssh.service – Erasmus Sep 01 '21 at 06:48
43

A better way to see the last part of the log is:

journalctl -u sshd -n 100

Using tail on the output of journalctl can be very slow. It took 5 minutes on a machine where I tried it, while the above command returns instantly.

don_crissti
  • 82,805
eMBee
  • 532
  • 4
  • 7
22

You should be able to filter messages from sshd using:

journalctl -u ssh

or (depending on your distribution)

journalctl -u sshd

which will show logs in a less style format (you can search /, navigate via PgUp, PgDown etc.).

  • -e brings you to the end of logs.
  • -u parameter filters through meta field _SYSTEMD_UNIT which is (at least on Debian) set to ssh.service, thus sshd won't match.
  • -f follows logs in real-time
  • -n 100 displays given number of lines (useful with -f)

Alternatively you can use meta-fields filtering:

journalctl _COMM=sshd

You can display whole journal record with all meta-fields by exporting to JSON:

journalctl -u ssh -o json-pretty

that would give you something like:

    ...
    "_PID" : "7373",
    "_COMM" : "sshd",
    "_EXE" : "/usr/sbin/sshd",
    "_SYSTEMD_CGROUP" : "/system.slice/ssh.service",
    "_SYSTEMD_UNIT" : "ssh.service",
    ...

In case you wonder how to display only kernel messages:

journalctl -k -f
Tombart
  • 2,860
  • 6
  • 27
  • 39
  • Do you have an explanation for this strange syntax (journalctl _COMM=sshd)? – Ortomala Lokni Jan 05 '18 at 07:49
  • @OrtomalaLokni -u filters through metadata field _SYSTEMD_UNIT which is on Debian set to ssh.service. All params starting with underscore are accessing metafiels. In similar manner you can filter via _PID or _TRANSPORT. – Tombart Jan 08 '18 at 18:59
12

I have found the output of sshd and other core services in 'journalctl'.

See more at the Arch Wiki entry for systemd:

https://wiki.archlinux.org/index.php/Systemd/Journal

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
HXCaine
  • 1,169
1

Take a look at your syslog configuration. Most probalby /etc/syslog.conf or /etc/rsyslog.conf You should look for lines with auth for example in my config:

auth,authpriv.* /var/log/auth.log

*.*;auth,authpriv.none -/var/log/syslog

b13n1u
  • 524
  • 5
    Neither of those files exists. I believe those files are created by syslog-ng whereas Arch has replaced that with systemd – HXCaine Feb 08 '14 at 13:29
  • In Scientific Linux authpriv.* point to authpriv.* /var/log/secure inside the file /etc/rsyslog.conf – Salem F May 25 '18 at 10:31