« Back to SSH: Frequently Asked Questions

How to see the SSH log?

The logs from OpenSSH are useful for monitoring and taking security measures. The OpenSSH daemon (sshd) typically uses the /var/log/auth.log file to store any information regarding relevant events such authentication attempts. Some systems may no longer use this file, for example in the case that systemd is being used. In that case, use the journalctl command to view the relevant entries from the journal logs.

If /var/log/auth.log is present

Many Linux distributions have the auth.log file available in the /var/log directory. This file can be reviewed using common utilities:

  • cat
  • grep
  • less
  • more
  • tail

Another option is to open it in your preferred editor, although that might not be advisable due to the size the log file can become.

To track any changes to the file, use the tail command.

tail -f /var/log/auth.log

To search a particular user in the log, grep can be used.

grep USERNAME /var/log/auth.log

Systemd: use journalctl

If your are running a newer distribution version, your /var/log/auth.log file might be missing. In that case check out the journal logs.

journalctl -u ssh.service

Relevant commands in this article

Like to learn more about the commands that were used in this article? Have a look, for some there is also a cheat sheet available.

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon