Where to find SSH Login log files on centos

I have shared a .pem file with few a developers and now something went wrong on the server. I would like to track logins in a log so that I can see who (IP) made changes and when (if even possible) what all change happened in that session.

I tried looking /var/logs/auth.log, I cannot find such file in my machine.

Few more details:

Hosted on AWS Created and shared .pem file CentOS - centos-release-7-2.1511.el7.centos.2.10.x86_64 EC2 instance I have not set flow log Can someone help to track SSH login details ?

ULLAS K

Posted 2017-07-01T09:27:18.527

Reputation: 233

Answers

On CentOS login information is logged in /var/log/secure, not /var/logs/auth.log.

blah

Posted 2017-07-01T09:27:18.527

Reputation: 166

In Centos 7 the SSH logs are located at "/var/log/secure"

If you want to monitoring in real time, you may use the tail command as shown below:

tail -f -n 50 /var/log/secure | grep sshd

jose miguel rivera rodríguez

Posted 2017-07-01T09:27:18.527

Reputation: 31

lastlog(8) will report the most recent information from the /var/log/lastlog facility, if you have pam_lastlog(8) configured.

aulastlog(8) will make a similar report, but from the audit logs in /var/log/audit/audit.log. (Recommended, as auditd(8) records are harder to tamper with than syslog(3) records.)

ausearch -c sshd will search your audit logs for reports from the sshd process.

last(8) will search through /var/log/wtmp for the most recent logins. lastb(8) will show bad login attempts.

/root/.bash_history might contain some details, assuming the goober who fiddled with your system was incompetent enough to not remove it before logging out.

Make sure you check ~/.ssh/authorized_keys files for all users on the system, check crontabs to make sure no new ports are scheduled to be opened at some point in the future, etc.

Note that all logs stored on the local machine are suspect; the only logs you can realistically trust are forwarded to another machine that wasn't compromised. Perhaps it would be worth investigating centralized log handling via rsyslog(8) or auditd(8) remote machine handling.

You can also try:

grep sshd /var/log/audit/audit.log

And:

last | grep [username]

last | head

Nikita 웃

Posted 2017-07-01T09:27:18.527

Reputation: 129

.bash_history only contains commands passed in a bash session. If you have SSH access, you can also access/manage all the files via SFTP unless this has been disabled. – xenoid – 2017-07-01T13:28:01.480

-2

try this one

tail -500 /var/log/auth.log | grep 'sshd'

Arashbas

Posted 2017-07-01T09:27:18.527

Reputation: 3

There is no such file , and I even /etc/syslog.conf also not there – ULLAS K – 2017-07-01T10:37:59.440

try this commands : journalctl -u sshd |tail -100 journalctl -u sshd journalctl _COMM=sshd -f -n 100 – Arashbas – 2017-07-01T10:46:16.390

1Please edit your answer with the proper solution – yass – 2017-07-01T18:50:55.473