ssh
logging
July 23, 20258 min read

SSH Logs: Complete Guide to Security Monitoring and Analysis in 2025

Author:

Nilesh SinhaNilesh Sinha

SSH logs are critical for detecting unauthorized access attempts and maintaining system security. If you're managing servers, you know how proper SSH log monitoring can mean the difference between catching a breach early and discovering it weeks later.

Whether you're managing a handful of servers or hundreds, this guide will help you master SSH log analysis, from basic log locations to advanced threat detection strategies.

Understanding SSH Log Fundamentals

SSH logs capture every authentication attempt, connection, and session activity through the SSH daemon (sshd). These logs are your audit trail for:

  • Authentication events: Successful and failed login attempts
  • Connection metadata: Source IPs, ports, session duration
  • User activity: Session starts, disconnections, privilege changes
  • Protocol details: Key exchanges, cipher negotiations, errors

Anatomy of SSH Log Entries

Every SSH log entry follows a structured format:

Jan 23 14:30:15 server01 sshd[12345]: Accepted publickey for admin from 192.168.1.100 port 54321 ssh2: RSA SHA256:abc123...

Breaking this down:

  • Timestamp: Jan 23 14:30:15
  • Hostname: server01
  • Process: sshd[12345] (daemon with PID)
  • Event: Accepted publickey
  • User: admin
  • Source: 192.168.1.100 port 54321
  • Method: publickey with key fingerprint

SSH Log Locations by Operating System

Finding SSH logs depends on your OS and logging setup:

Linux Systems

Debian/Ubuntu:

# Primary location
tail -f /var/log/auth.log

# Using systemd journal
journalctl -u ssh -f

RHEL/CentOS/Rocky:

# Primary location  
tail -f /var/log/secure

# Using systemd journal
journalctl -u sshd -f

Arch Linux:

# Primarily systemd journal
journalctl -u sshd.service -f

# Alternative
tail -f /var/log/auth.log

Other Platforms

macOS:

tail -f /var/log/system.log | grep ssh

FreeBSD:

tail -f /var/log/auth.log

Custom Log Paths

Configure custom logging by modifying /etc/ssh/sshd_config:

# Set custom facility
SyslogFacility LOCAL7

# Route to custom file in rsyslog
echo "local7.*    /var/log/ssh.log" >> /etc/rsyslog.conf
systemctl restart rsyslog sshd

Configuring SSH Logging for Security

Adjusting Log Verbosity

Control SSH log detail with the LogLevel directive:

# /etc/ssh/sshd_config
LogLevel VERBOSE

# Available levels: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG1-3

Recommendations:

  • Production: INFO or VERBOSE
  • Security monitoring: VERBOSE
  • Troubleshooting: DEBUG (temporarily)

Syslog Facility Configuration

Direct SSH logs to specific facilities:

# /etc/ssh/sshd_config
SyslogFacility AUTHPRIV

# Options: AUTH, AUTHPRIV (recommended), LOCAL0-7

Restart SSH after changes:

systemctl restart sshd

Modern Log Analysis with journalctl

For systemd systems, journalctl provides powerful filtering:

# View SSH service logs
journalctl -u ssh.service

# Real-time monitoring
journalctl -u ssh.service -f

# Last hour's events
journalctl -u ssh.service --since "1 hour ago"

# Filter by user
journalctl -u ssh.service | grep "user admin"

# Failed attempts only
journalctl -u ssh.service | grep "Failed"

# With ISO timestamps
journalctl -u ssh.service -o short-iso

Security Threat Detection Techniques

Identifying Brute Force Attacks

Find IPs with multiple failed attempts:

grep "Failed password" /var/log/auth.log | \
awk '{print $(NF-3)}' | sort | uniq -c | sort -nr | head -10

Show recent failed attempts:

grep "Failed password" /var/log/auth.log | \
grep "$(date --date='1 day ago' '+%b %d')\|$(date '+%b %d')"

Detecting Unusual Patterns

Check off-hours access:

grep "Accepted" /var/log/auth.log | \
awk '$3 < "09:00:00" || $3 > "17:00:00" {print}'

Monitor direct root logins (should be disabled):

grep "root" /var/log/auth.log | grep "Accepted"

Privilege Escalation Monitoring

Track sudo usage after SSH login:

grep -E "(Accepted|sudo)" /var/log/auth.log | grep -A5 -B5 "sudo"

Automated Protection with Fail2ban

Fail2ban is an intrusion prevention tool that monitors log files and automatically bans IP addresses showing suspicious activity like repeated failed login attempts. It works by scanning SSH logs in real-time and temporarily blocking IPs that exceed defined failure thresholds.

Installation and Setup

# Install fail2ban
sudo apt install fail2ban  # Ubuntu/Debian
sudo yum install fail2ban  # RHEL/CentOS

# Basic SSH jail
cat > /etc/fail2ban/jail.local << EOF
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 1h
findtime = 10m
EOF

systemctl start fail2ban
systemctl enable fail2ban

Advanced Configuration

# Custom jail with notifications
cat > /etc/fail2ban/jail.d/ssh-custom.conf << EOF
[sshd-custom]
enabled = true
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 24h
findtime = 30m
ignoreip = 192.168.1.0/24 10.0.0.0/8
action = iptables-multiport[name=SSH, port="ssh", protocol=tcp]
         sendmail-whois[name=SSH, dest=admin@company.com]
EOF

Managing Fail2ban

# Check banned IPs
fail2ban-client status sshd

# Unban IP
fail2ban-client set sshd unbanip 192.168.1.100

# View logs
journalctl -u fail2ban -f

Troubleshooting Common Issues

Missing Log Files

Check SSH service status:

systemctl status sshd
journalctl -u sshd --no-pager

Verify logging configuration:

grep -E "^(SyslogFacility|LogLevel)" /etc/ssh/sshd_config

Test with verbose SSH:

ssh -v user@localhost

Permission Issues

Check log file permissions:

ls -la /var/log/auth.log

# Add user to log group
sudo usermod -a -G adm username  # Ubuntu/Debian
sudo usermod -a -G wheel username  # RHEL/CentOS

High Log Volume

Configure size-based rotation:

# /etc/logrotate.d/ssh-size
/var/log/ssh.log {
    size 100M
    rotate 10
    compress
    create 640 syslog adm
}

Reduce verbosity:

sed -i 's/LogLevel VERBOSE/LogLevel INFO/' /etc/ssh/sshd_config
systemctl restart sshd

Centralized SSH Log Management

For infrastructure-scale monitoring, centralize your SSH logs using modern observability platforms.

Setting Up with SigNoz

SigNoz provides comprehensive SSH log monitoring through OpenTelemetry integration. Configure the collector to ingest SSH logs:

# otel-collector-config.yaml
receivers:
  filelog:
    include:
      - /var/log/auth.log    # Ubuntu/Debian
      - /var/log/secure      # RHEL/CentOS
    operators:
      - type: regex_parser
        regex: '^(?P<timestamp>\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P<hostname>\S+)\s+(?P<process>\S+?)(\[(?P<pid>\d+)\])?:\s+(?P<message>.*)$'
        timestamp:
          parse_from: attributes.timestamp
          layout: '%b %d %H:%M:%S'

processors:
  batch:

exporters:
  otlp:
    endpoint: "https://ingest.{region}.signoz.cloud:443"
    headers:
      "signoz-access-token": "{your-signoz-token}"

service:
  pipelines:
    logs:
      receivers: [filelog]
      processors: [batch]
      exporters: [otlp]

SigNoz SSH Monitoring Benefits

  • Real-time analysis: Monitor authentication patterns instantly
  • Advanced queries: Filter by IP, user, timeframe with powerful query builder
  • Automated alerting: Set up alerts for brute force attempts or anomalous behavior
  • Correlation: Connect SSH events with system metrics and traces
  • Compliance: Long-term storage for audit requirements

SSH Security Hardening

Effective SSH log monitoring is only part of a comprehensive security strategy. Beyond analyzing authentication events, you must proactively secure your SSH service itself to reduce the attack surface and minimize the volume of suspicious activities that appear in your logs.

The following hardening measures work hand-in-hand with log monitoring - while robust logging helps you detect threats, proper configuration prevents many attacks from succeeding in the first place. This layered approach significantly reduces both security risks and the noise in your authentication logs.

Essential Configuration

# /etc/ssh/sshd_config - Security baseline
Protocol 2
Port 2222                    # Non-standard port
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
LoginGraceTime 60
MaxStartups 3

# Restrict access
AllowUsers admin deploy
AllowGroups ssh-users

# Enhanced logging
LogLevel VERBOSE
SyslogFacility AUTHPRIV

Network-Level Protection

# Restrict SSH with iptables
iptables -A INPUT -p tcp --dport 2222 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 2222 -j DROP

# Rate limiting
iptables -A INPUT -p tcp --dport 2222 -m recent --name ssh --set
iptables -A INPUT -p tcp --dport 2222 -m recent --name ssh --rcheck --seconds 60 --hitcount 4 -j DROP

Performance and Retention

Log Rotation Strategies

# /etc/logrotate.d/ssh-logs
/var/log/ssh.log {
    daily
    rotate 365        # 1-year retention
    compress
    delaycompress
    create 640 syslog adm
}

Compliance Requirements

  • PCI-DSS: 1 year minimum
  • SOX: 7 years for financial data
  • HIPAA: 6 years for healthcare
  • GDPR: As long as necessary

Get Started with SigNoz

SigNoz provides real-time log analysis, intelligent alerting, and correlation with system metrics - perfect for modern infrastructure security.

SigNoz Logs Management Overview

Key SSH monitoring features:

  • Centralized collection from multiple servers with efficient storage
  • Real-time alerting for brute force attacks and anomalous patterns
  • Advanced filtering for forensic analysis and compliance reporting
  • Metric correlation to understand SSH activity impact on system performance

You can choose between various deployment options in SigNoz. The easiest way to get started with SigNoz is SigNoz cloud. We offer a 30-day free trial account with access to all features.

Those who have data privacy concerns and can't send their data outside their infrastructure can sign up for either enterprise self-hosted or BYOC offering.

Those who have the expertise to manage SigNoz themselves or just want to start with a free self-hosted option can use our community edition.

Hope we answered all your questions regarding SSH log monitoring. If you have more questions, feel free to use the SigNoz AI chatbot, or join our slack community.

Key Takeaways

Effective SSH log monitoring requires:

  • Proper configuration with appropriate log levels and facilities
  • Real-time monitoring using journalctl and automated tools like Fail2ban
  • Threat detection through pattern analysis and anomaly identification
  • Centralized logging for infrastructure-scale security monitoring
  • Compliance planning with appropriate retention policies

Start with basic log analysis using the commands shown here, then scale to centralized platforms like SigNoz for comprehensive security monitoring across your infrastructure.

Remember: SSH security is not a set-and-forget task. Regularly review your logs, update security configurations, and adapt your monitoring as threats evolve.

Was this page helpful?

Related Articles

7 Open-Source Log Management Tools that you may consider in 2024

May 24, 2024

Log Monitoring 101 Detailed Guide [Included 10 Tips]

January 7, 2024

Docs
IntroductionContributingMigrate from DatadogSigNoz API
Community
Support
Slack
X
Launch Week
Changelog
Dashboard Templates
DevOps Wordle
Newsletter
More
SigNoz vs DatadogSigNoz vs New RelicSigNoz vs GrafanaSigNoz vs Dynatrace
Careers
AboutTermsPrivacySecurity & Compliance
SigNoz
All systems operational