Troubleshooting Missing Failed SSH Attempts in /var/log/auth.log on Ubuntu Servers


2 views

When attempting to log failed SSH authentication attempts on an Ubuntu server, many administrators expect to find these entries in /var/log/auth.log. However, you might encounter situations where the log remains empty despite multiple failed login attempts, even after setting LogLevel VERBOSE in /etc/ssh/sshd_config.

For proper SSH logging to work, your system requires:

  • rsyslog or syslog-ng service running
  • Proper permissions on log files
  • Correct syslog facility configuration

First, check if your system logger is running:

sudo systemctl status rsyslog

If it's not running, start and enable it:

sudo systemctl enable --now rsyslog

Verify that your /etc/rsyslog.conf includes authentication messages:

grep 'auth,authpriv.*' /etc/rsyslog.conf

You should see a line similar to:

auth,authpriv.*                 /var/log/auth.log

To test SSH logging in real-time, run SSH in debug mode:

sudo /usr/sbin/sshd -d -p 2222

Then attempt connections in another terminal:

ssh -p 2222 user@localhost

Check these additional locations for authentication logs:

sudo journalctl -u ssh
sudo grep 'sshd' /var/log/syslog

Here's a working /etc/ssh/sshd_config snippet for verbose logging:

# Logging
SyslogFacility AUTH
LogLevel VERBOSE

After making changes, don't forget to restart services:

sudo systemctl restart ssh
sudo systemctl restart rsyslog

On some systems, you might need to adjust permissions:

sudo chmod 640 /var/log/auth.log
sudo chown syslog:adm /var/log/auth.log

For SELinux systems:

sudo restorecon -v /var/log/auth.log

After implementing all changes, test with:

logger -p auth.warn "Test auth message"
tail -f /var/log/auth.log

When debugging SSH security issues, the auth.log should be your first stop. But what happens when it's completely silent about failed attempts? Let's examine this systematically.

# Verify current SSH logging configuration
sudo grep -E 'LogLevel|SyslogFacility' /etc/ssh/sshd_config

# Expected output:
# SyslogFacility AUTH
# LogLevel VERBOSE

Even with VERBOSE logging enabled, several other factors could prevent logging:

The system logger might be filtering auth messages:

# Check rsyslog configuration
sudo cat /etc/rsyslog.d/50-default.conf | grep auth

# Should contain:
# auth,authpriv.*       /var/log/auth.log

Common pitfalls include:

# Verify log file permissions
ls -la /var/log/auth.log

# Check logrotate configuration
sudo cat /etc/logrotate.d/rsyslog

Try checking these locations as fallbacks:

# Systemd journal (if journald is primary logger)
sudo journalctl -u ssh -f

# Kernel audit logs
sudo ausearch -m USER_AUTH -ts recent

Run sshd in debug mode for real-time diagnostics:

# Stop current service
sudo systemctl stop sshd

# Start in debug mode
sudo /usr/sbin/sshd -d -p 2222

# In another terminal:
ssh -p 2222 user@localhost

Security modules might block logging:

# Check for denials
sudo cat /var/log/audit/audit.log | grep sshd
sudo dmesg | grep ssh