38

Can someone please tell me where to find the SSHD log on RedHat and SELinux.... I would like to view the log to see who is logging into my account..

user150591
  • 407
  • 1
  • 4
  • 6
  • 5
    Sheesh - if you have to ask "who is logging into my account", it's already game over. See [How do I deal with a compromised server](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server). – EEAA Jan 10 '13 at 15:36
  • 2
    Given the fact that RHEL7 will use a different logging system, could you add a tag with the specific version you're using? – Cristian Ciupitu May 22 '14 at 14:14

6 Answers6

55

Login records are usually in /var/log/secure. I don't think there is a log specific to the SSH daemon process, unless you've broken it out from other syslog messages.

John
  • 8,920
  • 1
  • 28
  • 34
  • 2
    /var/log/secure is not there... is it a bad sign? – marcio May 22 '14 at 02:27
  • If you're on Red Hat Enterprise Linux, Fedora, or a RHEL derivative like CentOS, then yes, this is a bad sign. Something is wrong. – John May 22 '14 at 11:31
  • 3
    I've read that fedora uses journalctl instead of `/var/log/secure`. With `journalctl _COMM=sshd` I could see all ssh activity and everything seems fine :D – marcio May 22 '14 at 13:37
7

In addition to @john answer, some distributions are now using journalctl by default. If that's your case, you're probably able to see sshd activity through:

_> journalctl _COMM=sshd

You will see output like this:

Abr 15 02:28:17 m sshd[26284]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Abr 15 02:28:18 m sshd[26284]: Failed password for root from 127.0.0.1 port **** ssh2
Abr 15 02:28:19 m sshd[26284]: Connection closed by 127.0.0.1 [preauth]
Abr 15 02:28:25 m sshd[26296]: Accepted password for **** from 127.0.0.1 port **** ssh2
Abr 15 02:28:25 m sshd[26296]: pam_unix(sshd:session): session opened for user **** by (uid=0)
Abr 15 02:28:28 m sshd[26301]: Received disconnect from 127.0.0.1: 11: disconnected by user
Abr 15 02:28:58 m sshd[26231]: Received signal 15; terminating.
Abr 15 02:28:58 m sshd[26828]: Server listening on 0.0.0.0 port 22.
marcio
  • 181
  • 1
  • 6
  • 1
    There's also `journalctl _SYSTEMD_UNIT=sshd.service` the difference being that it will get only the logs for the service excluding any other possible **sshd** instances (for example someone runs another SSH server in parallel). – Cristian Ciupitu May 22 '14 at 14:12
3

The log is in fact located at /var/log/secure on RHEL systems. A SSHD connection will look something like this;

Jan 10 09:49:04 server sshd[28651]: Accepted publickey for [username] from x.x.x.x port 61000 ssh2
Jan 10 09:49:04 server sshd[28651]: pam_unix(sshd:session): session opened for user [username] by (uid=0)

The most important part for determining whether or not your account has been compromised is the IP Address.

EEAA
  • 108,414
  • 18
  • 172
  • 242
Ethabelle
  • 2,032
  • 14
  • 20
1

If you are using RHEL/CentOS 7, your system will be using systemd, and therefore journalctl. As mentioned above, you can use the journalctl _COMM=sshd. However, you should also be able to view this with the following command:

# journalctl -u sshd

You can verify your version of redhat by the following command as well:

# cat /etc/*release

This will show you version information about your version of linux.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
86bornprgmr
  • 241
  • 2
  • 3
0

You can simply use the below command to see who is logging into my account:

log file in redhat: /var/log/secure

  • Using journalctl command:

    $journalctl -u sshd

  • Using ausearch command

    $ausearch --message USER_LOGIN --success no --interpret

asmath
  • 301
  • 1
  • 6
0

Check out /var/log/secure Secure logs get rotated so you may need to search previous files as well. E.G. /var/log/secure-20190903

You may also be interested in searching the logfile for specific lines (I just banged on the keyboard to generate those sample ip addresses so please don't attribute too much meaning to them)

sudo grep -e 52.32.98.225 -e 56.33.22.215 /var/log/secure*
joar
  • 101