Solved

Linux Fedora Core - SSH logs??

Posted on 2006-12-01
12
1,081 Views
Last Modified: 2013-12-06

Can someone provide me with a step by step guide on how to record user actions and authentications (possibly logging access denied and user granted) using SSH on Fedora Core.

I’ve been through /var/logs/ and there doesn’t seem to be anything obvious that I can view!

Any suggestions would be much appreciated, thanks!
0
Comment
Question by:the_omnific
  • 5
  • 4
  • 3
12 Comments
 
LVL 4

Expert Comment

by:wbstech
ID: 18052514
You need to be looking for:

/var/logs/sshd
/var/logs/secure

Could you post up /etc/syslog.conf from your Linux machine?

That's where you'll need to add it. Once you post it up, i'll be able to post it back with the required additions. Or tell you where it is, if already there.
0
 
LVL 14

Expert Comment

by:ygoutham
ID: 18052523
you can only see who logged in and out from /var/log/secure.  what do you mean by recording user actions???  i do not think that you can record something of that nature like capturing every command issued and stuff like that.
0
 
LVL 14

Expert Comment

by:ygoutham
ID: 18052527
once you see the user logging in and out, you can probably get the information on the set of commands issued by the user from

/home/user_name/.history

that file will show all commands issued by the user (atleast 1000 commands), but will not give you any idea about when the commands were issued.
0
 
LVL 4

Expert Comment

by:wbstech
ID: 18052532
Didn't fully grasp what you were asking there. Yeh ygoutham is right; the logs aren't going to record everything. Just authentication and errors really.
0
 
LVL 1

Author Comment

by:the_omnific
ID: 18052543
this is my syslog.conf.......

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                          /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none            /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                    /var/log/secure

# Log all the mail messages in one place.
mail.*                                          -/var/log/maillog


# Log cron stuff
cron.*                                          /var/log/cron

# Everybody gets emergency messages
*.emerg                                          *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                    /var/log/spooler

# Save boot messages also to boot.log
local7.*                                    /var/log/boot.log
0
 
LVL 1

Author Comment

by:the_omnific
ID: 18052566
i just thought it might have been interesting to view the logon attempts....i dont necessarily require the need to know every command a user performs once they have access. It would just be nice to know what was going on etc.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 4

Expert Comment

by:wbstech
ID: 18052592
Try running:

cat /var/log/secure

I think they should already be in there.
0
 
LVL 1

Author Comment

by:the_omnific
ID: 18052662
Thanks, there seems to be all sorts of logon information in there including ftp etc. Is there any way of creating a separate log file solely for SSH?
0
 
LVL 14

Assisted Solution

by:ygoutham
ygoutham earned 125 total points
ID: 18052712
you can try

cat /var/log/secure | grep sshd

which should filter only sshd related info. but again you have only ipaddresses and times, with some stuff on public key acceptance and other things. it also have the user name between ACCEPTED PASSWORD FOR XXXXXX from x.y.z.a

look through that and the history should give some specific idea
0
 
LVL 4

Accepted Solution

by:
wbstech earned 125 total points
ID: 18052740
Try adding the below to the end of the syslog.conf:

#Save only auth info to authinfo.log

authpriv.info                                          /var/log/authinfo.log


Or, you could do the above suggestion and just put "cat /var/log/secure | grep sshd" in a file as below:

echo "cat /var/log/secure | grep sshd" > /usr/bin/showsshdlogs

Then you have in a sense made your own command to show what you need. You can just type "showsshdlogs" at the command prompt and see it all.
0
 
LVL 1

Author Comment

by:the_omnific
ID: 18052747
Thank you very much. Both of you have been very informative!
0
 
LVL 4

Expert Comment

by:wbstech
ID: 18052784
No problem :-)
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VMWARE Vcenter GUI defaults question about networks 10 86
Sendmail STARTTLS error 37 79
Mysql Crashing Intermittently 16 82
Virtualizing very old guest OS 4 79
Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now