Locating SSHD Log Files in Red Hat Linux with SELinux: Authentication Monitoring Guide


2 views

The primary SSHD log file in Red Hat Linux distributions (including RHEL, CentOS, and Fedora) is typically found at:

/var/log/secure

This file contains authentication-related messages including SSH login attempts, successful logins, and authentication failures. The logging is handled by rsyslog (or syslog) service by default.

To confirm where your system logs SSHD messages, check the rsyslog configuration:

cat /etc/rsyslog.conf | grep authpriv

You should see a line similar to:

authpriv.*                                              /var/log/secure

In SELinux-enforced systems, you might also find relevant logs in:

/var/log/audit/audit.log

To specifically view SELinux-related SSH denials:

ausearch -m avc -c sshd

To view recent SSH login activity (both successful and failed attempts):

grep sshd /var/log/secure | grep -E "Accepted|Failed"

Example output:

Jan 10 14:23:12 server1 sshd[12345]: Accepted password for user1 from 192.168.1.100 port 54321 ssh2
Jan 10 14:25:47 server1 sshd[12348]: Failed password for invalid user hacker from 203.0.113.5 port 34567 ssh2

For continuous monitoring of SSH login attempts:

tail -f /var/log/secure | grep --line-buffered sshd

Or using journalctl for systems with journald:

journalctl -u sshd -f

To increase verbosity of SSH logging (temporarily for debugging):

# Edit /etc/ssh/sshd_config
LogLevel VERBOSE

Then restart the service:

systemctl restart sshd

Red Hat systems use logrotate to manage log files. The SSHD logs are typically included in:

/etc/logrotate.d/syslog

Example rotation configuration:

/var/log/secure {
    missingok
    sharedscripts
    postrotate
        /bin/kill -HUP cat /var/run/syslogd.pid 2> /dev/null 2> /dev/null || true
    endscript
}

On Red Hat Enterprise Linux (RHEL) and CentOS systems, the primary SSH daemon log is stored in:

/var/log/secure

This file contains authentication-related messages including SSH login attempts. You can view it with:

sudo tail -f /var/log/secure | grep sshd

When SELinux is enabled, you might need additional commands to properly access logs:

sudo ausearch -m avc -ts recent | grep sshd
sudo sealert -a /var/log/audit/audit.log

To monitor successful logins to your specific account:

sudo grep "Accepted password for YOUR_USERNAME" /var/log/secure

For failed login attempts analysis:

sudo grep "Failed password" /var/log/secure | awk '{print $9}' | sort | uniq -c | sort -nr

Modern RHEL versions use journalctl for centralized logging:

journalctl _SYSTEMD_UNIT=sshd.service --since "1 hour ago"
journalctl -u sshd --no-pager | grep "Accepted"

To ensure logs persist across reboots, verify rsyslog configuration:

/etc/rsyslog.conf

Should contain:

authpriv.* /var/log/secure

Check logrotate configuration for proper SSH log handling:

/etc/logrotate.d/syslog

Sample configuration:

/var/log/secure {
    missingok
    notifempty
    sharedscripts
    postrotate
        /bin/kill -HUP cat /var/run/syslogd.pid 2> /dev/null 2> /dev/null || true
    endscript
}

For enhanced tracking, configure auditd rules:

/etc/audit/rules.d/sshd.rules

Example rule:

-a always,exit -F arch=b64 -S execve -F path=/usr/sbin/sshd -F key=sshd_commands