14

How do I change the sshd logging file location on CentOS? sshd logs to /var/log/messages instead of /var/log/secure. How can I change the setting so sshd will stop sending logs to /var/log/messages?

Jidrick
  • 189

2 Answers2

18

Please post your sshd_config something else would seem to be up. A stock CentOS system always logs to /var/log/secure.

Example

$ sudo tail -f /var/log/secure
Feb 18 23:23:34 greeneggs sshd[3545]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Feb 18 23:23:36 greeneggs sshd[3545]: Failed password for root from ::1 port 46401 ssh2
Feb 18 23:23:42 greeneggs unix_chkpwd[3555]: password check failed for user (root)
Feb 18 23:23:42 greeneggs sshd[3545]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Feb 18 23:23:43 greeneggs sshd[3545]: Failed password for root from ::1 port 46401 ssh2
Feb 18 23:23:48 greeneggs sshd[3545]: Accepted password for root from ::1 port 46401 ssh2
Feb 18 23:23:48 greeneggs sshd[3545]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 18 23:24:05 greeneggs sshd[3545]: Received disconnect from ::1: 11: disconnected by user
Feb 18 23:24:05 greeneggs sshd[3545]: pam_unix(sshd:session): session closed for user root
Feb 18 23:27:15 greeneggs sudo:     saml : TTY=pts/3 ; PWD=/home/saml ; USER=root ; COMMAND=/bin/tail /var/log/secure

This is controlled through /etc/ssh/sshd_config:

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

As well as the contents of /etc/rsyslog.conf:

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

Your issue

In one of your comments you mentioned that your rsyslogd config file was named /etc/rsyslog.config. That isn't the correct name for this file, and is likely the reason your logging is screwed up. Change the name of this file to /etc/rsyslog.conf and then restart the logging service.

$ sudo service rsyslog restart
slm
  • 369,824
  • Thanks, I wondered, if "SyslogFacility AUTHPRIV" is commented out. How does sshd know what the defaults are? Are the defaults stored at some place you can edit? – Jidrick Feb 19 '14 at 06:28
  • The defaults are in the source code that was used to compile the sshd executable file. If you want to override the defaults, you can give sshd command-line options or edit its config file. – Mark Plotnick Feb 19 '14 at 13:03
  • @MarkPlotnick - yes as is typically done in configuration files (as seen above) the defaults are shown in the config file but are then commmented out. So ssh was compiled so that LogLevel was set to INFO by default. To overrride it you need to uncomment that line and then change its value. – slm Feb 19 '14 at 13:43
3

Default sshd syslog facility is AUTH, so it will be logged in syslog to /var/log/messages.

To make sshd log to new file, you can change it syslog facility to something others, then config syslog to log this new facility to new file, i.e:

In sshd_config, add this line:

SyslogFacility AUTHPRIV

Then in syslog.conf:

authpriv.* /var/log/secure
slm
  • 369,824
cuonglm
  • 153,898