up vote 59 down vote favorite
15

I have Ubuntu 9.10 installed with sshd and i can successfully connect to it using login and password. I have configured an RSA key login and now have "Server refused our key" as expected. Ok, now i want to check sshd log in order to figure out a problem. I have examined /etc/ssh/sshd_config and it have

SyslogFacility AUTH
LogLevel INFO

Ok. I'm looking at /var/log/auth.log and... it's empty O_O. Changing Loglevel to VERBOSE helps nothing - auth.log is still empty. Any hints how i can check sshd log?

share|improve this question
5  
Did you check your syslog configuration? I don't run Ubuntu, but it may redirect the AUTH facility to a different logfile. Maybe /var/log/messages ? – Prof. Moriarty Apr 8 '10 at 10:23
    
How to check a syslog configuration? Unfortunately, i'm not very good a linux :(. cat /var/log/messages | grep ssh shows nothing :(. – Eye of Hell Apr 8 '10 at 10:28
    
You are correct. /etc/syslog.conf redirects AUTH to /var/logauth.log. Please write your answer so i can accept it :) – Eye of Hell Apr 8 '10 at 10:31
    
On my machine: The system logs are set in /etc/rsyslog.conf, which in turn includes /etc/rsyslog.d/* The actual file setting the location of the logs is /etc/rsyslog.d/50-default.conf. – Richard Holloway Apr 8 '10 at 11:53
1  
On my servers, sshd logs to /var/log/secure. This is configured in /etc/rsyslog.conf, on the line beginning "authpriv.*" – Isaac Betesh Jun 20 '13 at 14:34
up vote 8 down vote accepted

If no one else is using the system at the moment you could do what i've done in such cases:

  • stop sshd service (at least i've been able to do this while logged in via ssh)
  • start sshd manually and add some -d options to get more verbose debug output. Unless you have something funky going on it should use the same keys and config it does when started properly
share|improve this answer
71  
Stopping SSHD on a remote server is a really bad idea. This may solve the problem for some (or most) setups most of the time, but if ANYTHING goes wrong - your connection, power on either end, forgetfulness, etc - you're locked out of the box. Which is bad news. – Sudowned Nov 21 '12 at 18:58
1  
Well, it should be noted that the only way you could start the service after manually stopping it would be to have some other kind of access to it, like another non-SSH remote connection, or you're sitting in front of it. – Spencer Williams Apr 23 '15 at 16:32
5  
How does this answer the question? I landed here from a web search expecting to learn how to check the SSHD log files, not what worked for you for some problem... Damn I wish readers on the Stack Exchange network would actually read and answer the question at hand, and not the question they want it to be.... – jww Aug 23 '15 at 16:00
    
You can start another sshd on another port. Connect to that one. Then stop the main sshd and start a new one on port 22. If anything fails, reboot the box using your DRAC or cloud management. You should have sshd starting on boot right? No worries. – Bruno Bronosky Feb 17 at 14:43
up vote 71 down vote

Creating an answer based on the comments above, credit to @Prof. Moriarty and @Eye of Hell

SSH auth failures are logged here /var/log/auth.log

The following should give you only ssh related log lines

grep 'sshd' /var/log/auth.log

To be on the safe side, get the last few hundred lines and then search (because if the log file is too large, grep on the whole file would consume more system resources, not to mention will take longer to run)

tail -500 /var/log/auth.log | grep 'sshd'

share|improve this answer
    
Thanks for the edit. That was an error on my part, should've been tail in the first place (not less). Like I say in the text - "get the last few hundred lines and then search" – Ram Sep 13 '13 at 18:32
2  
This answer. Other answer with green arrow is bogus. Change arrow. – nottinhill Aug 4 '14 at 23:58
2  
Why not use tail -f ... to monitor it in real time? Would this be an issue with larger log files? – ing0 Feb 2 '15 at 12:12
3  
less +F ... will 'tail' in real time, and it's much more powerful than tail – northben May 7 '15 at 15:45
2  
And lnav is even better than less/tail – Wayne Werner Jan 13 '16 at 18:17

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.