How to check sshd log?

I have Ubuntu 9.10 installed with sshd and I can successfully connect to it using login and password. I have configured an RSA key login and now have "Server refused our key" as expected. Ok, now I want to check sshd log in order to figure out a problem. I have examined /etc/ssh/sshd_config and it have

SyslogFacility AUTH
LogLevel INFO

Ok. I'm looking at /var/log/auth.log and... it's empty O_O. Changing Loglevel to VERBOSE helps nothing - auth.log is still empty. Any hints how I can check sshd log?


If no one else is using the system at the moment you could do what i've done in such cases:

  • stop sshd service (at least i've been able to do this while logged in via ssh)
  • start sshd manually and add some -d options to get more verbose debug output. Unless you have something funky going on it should use the same keys and config it does when started properly

Creating an answer based on the comments above, credit to @Prof. Moriarty and @Eye of Hell

SSH auth failures are logged here /var/log/auth.log

The following should give you only ssh related log lines

grep 'sshd' /var/log/auth.log

To be on the safe side, get the last few hundred lines and then search (because if the log file is too large, grep on the whole file would consume more system resources, not to mention will take longer to run)

View sshd entries in the last 500 lines of the log:

tail -n 500 /var/log/auth.log | grep 'sshd'

or to follow the log output as you test:

tail -f -n 500 /var/log/auth.log | grep 'sshd'


If you can try the failing connection again easily, one way easy way is to start an SSH server on a free port such as 2222:

/usr/sbin/sshd -d -p 2222

and then retry the connection with:

ssh -p 2222 user@host

By using the different port -p 2222, we don't have to stop the main SSH server, which could lock us out.

See also: https://unix.stackexchange.com/a/55481/32558


The modern way to see logs

  1. All messages about sshd:
    journalctl -t sshd
    or
    journalctl -u ssh where -u == unit

  2. Messages about sshd from the last boot:
    journalctl -t sshd -b0

  3. Messages about sshd from the last boot in the reverse order:
    journalctl -t sshd -b0 -r


If you want to see all log messages about sshd, run this:

grep -rsh sshd /var/log |sort