How do I change the sshd
logging file location on CentOS? sshd
logs to /var/log/messages
instead of /var/log/secure
. How can I change the setting so sshd
will stop sending logs to /var/log/messages
?

- 829,060

- 189
2 Answers
Please post your sshd_config
something else would seem to be up. A stock CentOS system always logs to /var/log/secure
.
Example
$ sudo tail -f /var/log/secure
Feb 18 23:23:34 greeneggs sshd[3545]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Feb 18 23:23:36 greeneggs sshd[3545]: Failed password for root from ::1 port 46401 ssh2
Feb 18 23:23:42 greeneggs unix_chkpwd[3555]: password check failed for user (root)
Feb 18 23:23:42 greeneggs sshd[3545]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Feb 18 23:23:43 greeneggs sshd[3545]: Failed password for root from ::1 port 46401 ssh2
Feb 18 23:23:48 greeneggs sshd[3545]: Accepted password for root from ::1 port 46401 ssh2
Feb 18 23:23:48 greeneggs sshd[3545]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 18 23:24:05 greeneggs sshd[3545]: Received disconnect from ::1: 11: disconnected by user
Feb 18 23:24:05 greeneggs sshd[3545]: pam_unix(sshd:session): session closed for user root
Feb 18 23:27:15 greeneggs sudo: saml : TTY=pts/3 ; PWD=/home/saml ; USER=root ; COMMAND=/bin/tail /var/log/secure
This is controlled through /etc/ssh/sshd_config
:
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
As well as the contents of /etc/rsyslog.conf
:
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
Your issue
In one of your comments you mentioned that your rsyslogd
config file was named /etc/rsyslog.config
. That isn't the correct name for this file, and is likely the reason your logging is screwed up. Change the name of this file to /etc/rsyslog.conf
and then restart the logging service.
$ sudo service rsyslog restart

- 369,824
-
Thanks, I wondered, if "SyslogFacility AUTHPRIV" is commented out. How does sshd know what the defaults are? Are the defaults stored at some place you can edit? – Jidrick Feb 19 '14 at 06:28
-
The defaults are in the source code that was used to compile the
sshd
executable file. If you want to override the defaults, you can givesshd
command-line options or edit its config file. – Mark Plotnick Feb 19 '14 at 13:03 -
@MarkPlotnick - yes as is typically done in configuration files (as seen above) the defaults are shown in the config file but are then commmented out. So
ssh
was compiled so thatLogLevel
was set toINFO
by default. To overrride it you need to uncomment that line and then change its value. – slm Feb 19 '14 at 13:43
Default sshd
syslog facility is AUTH
, so it will be logged in syslog to /var/log/messages
.
To make sshd
log to new file, you can change it syslog facility to something others, then config syslog to log this new facility to new file, i.e:
In sshd_config, add this line:
SyslogFacility AUTHPRIV
Then in syslog.conf:
authpriv.* /var/log/secure
-
@Jidrick - something is very wrong with your box. It appears to be broken and missing things. – slm Feb 19 '14 at 04:51
-
-
@Gnouc -
SyslogFacility AUTHPRIV
is already the default on RH distros. They override it as part of the packaging. – slm Feb 19 '14 at 04:55 -
-
@Jidrick - change the name of the file
/etc/rsyslog.config
to/etc/rsyslog.conf
. – slm Feb 19 '14 at 05:04 -
@Gnouc How does sshd know what the defaults are? Are the defaults stored at some place you can edit? – Jidrick Feb 19 '14 at 06:29
-
/var/log/message
is that really the location? It's generally/var/log/messages
. – slm Feb 19 '14 at 04:25/var/log/messages
, maybe OP has both ;-) – Anthon Feb 19 '14 at 04:45/var/log/auth.log
– Eric Oct 10 '15 at 03:50