Let's assume there are two servers ( Server A and Server B ). I am seeing root ssh failed login attempted from Server A to Server B. ssh for root login has been disabled for both of the severs.
I would like to find out all the command history in Server A ie find all users who ran ssh in server A.
Or
Add audit in B server such a way that log message will show OS id from Server A who was trying to do ssh with root from A.
Example: User1 present in server A and it tries to ssh to server b with root with failed login attempts. Server B log should display ssh for root failed and it came from server A by user user1.
Note: No one can login to server A apart from Admin. There is also no crontabs entries in server A. I am suspecting the vendor package what has installed in server A may be doing ssh via root to server B as both are part of a cluster.