Where are sshd logs kept?

[smolloy]

Hi Guys,
I've just started up my own ssh server (you can read about the whole sorry affair in this thread ), and I'm feeling a little paranoid, so I'd like to have a look at the ssh logs to see failed login attempts, script kids trying to brute-force a connection, etc., but I can't find the logs at all!!

Some sites I've found have said that the logs should be at /var/log/secure, but this file doesn't exist on my machine.

Can anyone give me a hint where to find them?

Thanks.

[Zelmo]

From searching through the sshd man page, it looks like the log reports are supposed to go to the system log (/var/log/syslog). However, my syslog shows no log reports from sshd, even though I ssh into my machine daily. So you may need to turn up the logging level in your config to see the reports you want. Try changing the LogLevel to VERBOSE, or check the man page for sshd_config for more options (under the LogLevel description).

[smolloy]

Thanks Zelmo.

I don't seem to have that file (/var/log/syslog). Maybe SUSE keeps it somewhere different?

[bigtomrodney]

You can find most of what you're looking for in /var/log/messages , which is where SUSE usually puts things. I usually run the following three searches with root privelage to get a good picture

Code:

grep -ir ssh /var/log/*
grep -ir breakin /var/log/*
grep -ir security /var/log/*

[smolloy]

Thanks bigtom.

Wow. Looks like someone tried to log in with a long list of usernames on sunday morning. Looks like several hundred attempts in less than 10 minutes!

Luckily I only allow the one user, and don't allow password authentication, so I guess I'm safe from these kind of attacks -- thanks to everyone's advice here!!!

Scary though....