How do I change the sshd logging file location on CentOS? sshd logs to /var/log/messages instead of /var/log/secure. How can I change the setting so sshd will stop sending logs to /var/log/messages?
Asked
Active
Viewed 1.1e+01k times
14
Gilles 'SO- stop being evil'
- 829,060
Jidrick
- 189
2 Answers
18
Please post your sshd_config something else would seem to be up. A stock CentOS system always logs to /var/log/secure.
Example
$ sudo tail -f /var/log/secure
Feb 18 23:23:34 greeneggs sshd[3545]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Feb 18 23:23:36 greeneggs sshd[3545]: Failed password for root from ::1 port 46401 ssh2
Feb 18 23:23:42 greeneggs unix_chkpwd[3555]: password check failed for user (root)
Feb 18 23:23:42 greeneggs sshd[3545]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Feb 18 23:23:43 greeneggs sshd[3545]: Failed password for root from ::1 port 46401 ssh2
Feb 18 23:23:48 greeneggs sshd[3545]: Accepted password for root from ::1 port 46401 ssh2
Feb 18 23:23:48 greeneggs sshd[3545]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 18 23:24:05 greeneggs sshd[3545]: Received disconnect from ::1: 11: disconnected by user
Feb 18 23:24:05 greeneggs sshd[3545]: pam_unix(sshd:session): session closed for user root
Feb 18 23:27:15 greeneggs sudo: saml : TTY=pts/3 ; PWD=/home/saml ; USER=root ; COMMAND=/bin/tail /var/log/secure
This is controlled through /etc/ssh/sshd_config:
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
As well as the contents of /etc/rsyslog.conf:
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
Your issue
In one of your comments you mentioned that your rsyslogd config file was named /etc/rsyslog.config. That isn't the correct name for this file, and is likely the reason your logging is screwed up. Change the name of this file to /etc/rsyslog.conf and then restart the logging service.
$ sudo service rsyslog restart
slm
- 369,824
-
Thanks, I wondered, if "SyslogFacility AUTHPRIV" is commented out. How does sshd know what the defaults are? Are the defaults stored at some place you can edit? – Jidrick Feb 19 '14 at 06:28
-
The defaults are in the source code that was used to compile the
sshdexecutable file. If you want to override the defaults, you can givesshdcommand-line options or edit its config file. – Mark Plotnick Feb 19 '14 at 13:03 -
@MarkPlotnick - yes as is typically done in configuration files (as seen above) the defaults are shown in the config file but are then commmented out. So
sshwas compiled so thatLogLevelwas set toINFOby default. To overrride it you need to uncomment that line and then change its value. – slm Feb 19 '14 at 13:43
3
Default sshd syslog facility is AUTH, so it will be logged in syslog to /var/log/messages.
To make sshd log to new file, you can change it syslog facility to something others, then config syslog to log this new facility to new file, i.e:
In sshd_config, add this line:
SyslogFacility AUTHPRIV
Then in syslog.conf:
authpriv.* /var/log/secure
-
@Jidrick - something is very wrong with your box. It appears to be broken and missing things. – slm Feb 19 '14 at 04:51
-
-
@Gnouc -
SyslogFacility AUTHPRIVis already the default on RH distros. They override it as part of the packaging. – slm Feb 19 '14 at 04:55 -
-
@Jidrick - change the name of the file
/etc/rsyslog.configto/etc/rsyslog.conf. – slm Feb 19 '14 at 05:04 -
@Gnouc How does sshd know what the defaults are? Are the defaults stored at some place you can edit? – Jidrick Feb 19 '14 at 06:29
-
/var/log/messageis that really the location? It's generally/var/log/messages. – slm Feb 19 '14 at 04:25/var/log/messages, maybe OP has both ;-) – Anthon Feb 19 '14 at 04:45/var/log/auth.log– Eric Oct 10 '15 at 03:50