How do I log ssh activity?

[errigour]

Hey I want to make sshd log its activity in a file called /home/sshd<username>.log directory/file. I was wondering if anyone could emial me a sshd log script they made up or can even push me toward a cool place to read up on how to program sshd. Anyways I would even be happy just know which ip addresses have touched port 22 if anyone knows a cool program I could add to linux to do something like that I would be deeply in depted to you. thankyou my user account is linuxrelik here and I think private mail is set to tell me when I get private mail by email. If you really would like to send me a cool email my email address is eric_justin_allan@cfl.rr.com

[deakons]

Are you referring to something similar to the output of "last" or "lastb"?

[errigour]

I want to log everything I can detect on port 22 to a file in the /home directory.

[mglenney]

Isn't the data you're looking for already in /var/log/secure?

[errigour]

Im not exactly sure everything you can monitor
on sockets. but thats a pretty neet log file.
thanks for the tip.

[pmcoleman]

Code:

last -d

Shows log of non-local logins with IP and name resolution.

Not sure I understand what you are really looking for: To log the actual content of an ssh connection, or the fact it occurred, or the IP the connection originated from.

Otherwise, start with /etc/init.d/ssh ....?

[errigour]

I prolly should wait till I go to school for networking and programming cause thats kind of what I am asking somone to tell me. heh hey anyone wanna post a c program that makes a log file and prints the activity on a network card to the log file? thanks for the last -d command also that helps alot.

[Ben Cotton]

I prolly should wait till I go to school for networking and programming cause thats kind of what I am asking somone to tell me. heh hey anyone wanna post a c program that makes a log file and prints the activity on a network card to the log file? thanks for the last -d command also that helps alot.

Do you mean something like tcpdump?

[spezticle]

I think this is what he means. A log file that mirrors, exactly, the activity through a ssh connection.
for example:

Code:

username@local_hostname:~$ ssh remote_hostname
username@remote_hostname's password: 
Linux remote_hostname 2.6.32-22-generic-pae #36-Ubuntu SMP Thu Jun 3 23:14:23 UTC 2010 i686 GNU/Linux
Ubuntu 10.04 LTS

Welcome to Ubuntu!
 * Documentation:  https://help.ubuntu.com/

  System information as of Wed Jun  9 23:08:08 CDT 2010

  System load:    0.0               Swap usage:  0%     Users logged in: 0
  Usage of /home: 0.0% of 16.66GB   Temperature: 40 C
  Memory usage:   13%               Processes:   119

  Graph this data and manage this system at https://landscape.canonical.com/


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Wed Jun  9 22:49:34 2010 from remote_hostname.info
Could not chdir to home directory /home/username: No such file or directory
username@remote_hostname:/$ cd /etc
username@remote_hostname:/etc$ cd apache2
username@remote_hostname:/etc/apache2$ dir
apache2.conf  envvars	  magic		  mods-enabled	sites-available
conf.d	      httpd.conf  mods-available  ports.conf	sites-enabled
username@remote_hostname:/etc/apache2$ cd ..
username@remote_hostname:/etc$ cd ..
username@remote_hostname:/$ cd /home
username@remote_hostname:/home$ cd /
username@remote_hostname:/$ sudo -i mkdir this_is_what_he_means
[sudo] password for username: 
username@remote_hostname:/$ dir
bin   cdrom  etc   initrd.img	   lib	  mnt  proc  sbin     srv  tftpboot  usr  vmlinuz
boot  dev    home  initrd.img.old  media  opt  root  selinux  sys  tmp	     var  vmlinuz.old
username@remote_hostname:/$

and i too, am wondering how to do this task.

[spezticle]

actually script works great.
but it only logs yourself, not if, for example, i have an open SSH server and user 'jane' logs in, i'm not going to see the activity.