User profile for user: Michael Levin
Michael Levin Author
User level: Level 2
221 points

where's the SSHD log? I want to see who's been logging in via ssh.

I set verbose mode on in /System/Library/LaunchDaemons/ssh.plist

<key>ProgramArguments</key>
<array>
<string>/usr/sbin/sshd</string>
<string>-i</string>
<string>-d</string>
</array>

where does the info go - is there a log file?

Mike

Intel Mac Pro, Mac OS X (10.4.11)

Posted on Oct 1, 2008 5:38 AM

Reply
5 replies
User profile for user: BDAqua
BDAqua
User level: Level 10
251,171 points

Oct 1, 2008 11:09 AM in response to Michael Levin

Hi Michael,

Logging

Recording events through system logging and reviewing these logs is a key element of good security. Good logging provides information as to what happened, when it happened, and (usually) who did it. By default, Mac OS X logs a fair bit of information to several files in the /var/log directory. One of these is system.log, which records general information from various subsystems. Examples of the types of events recorded in the logs are:

* Firewall (ipfw) blocked packets.
* Web server access and error messages.
* Use of privilege escalation tools.
* Informational messages, such as subsystem status messages.


http://developer.apple.com/internet/security/securityintro.html

Have you opened Console in Utilities & had a look around?
Reply
User profile for user: Camelot
Camelot
User level: Level 9
60,121 points

Oct 1, 2008 1:09 PM in response to Michael Levin

There is no SSH log, per se.

Login attempts are logged in two separate places.

First it's logged in /var/log/asl.db but you can't read this file directly. You can use last, though, which decodes this file to show recent logins.

In addition logins are logged in /var/log/system.log. Look for lines that include the string 'sshd', e.g.:

grep sshd /var/log/system.log


Or use /Applications/Utilities/Console.app to view the logs if you're more comfortable there.
Reply
User profile for user: Michael Levin
Michael Levin Author
User level: Level 2
221 points

Oct 1, 2008 3:45 PM in response to Camelot

First it's logged in /var/log/asl.db but you can't read this file directly. You can use last, though, which decodes this file to show recent logins.


I have no /var/log/asl.db but I do have a /var/log/asl.log - is that normal?

In addition logins are logged in /var/log/system.log. Look for lines that include the string 'sshd', e.g.:
grep sshd /var/log/system.log


not a single instance from that grep. Is that normal?

thanks,

Mike
Reply
User profile for user: Charles Minow
Charles Minow
User level: Level 6
9,184 points

Oct 1, 2008 6:56 PM in response to Michael Levin

Michael Levin wrote:
First it's logged in /var/log/asl.db but you can't read this file directly. You can use last, though, which decodes this file to show recent logins.


I have no /var/log/asl.db but I do have a /var/log/asl.log - is that normal?


I have /var/log/asl.log, but not asl.db. I wonder if Camelot's looking at his Leopard system, which I believe might be different. My asl.log file is human readable, though it's not the same format as most other log files.

not a single instance from that grep. Is that normal?


In Tiger, SSH logins aren't logged in system.log by default, so yeah, it's normal. They are logged in /var/log/secure.log, though. It's owned by root, so you'll have to use sudo:

<pre class="command">sudo grep ssh /var/log/secure.log</pre>

To look at the older, gzipped secure log files, you'll need to unzip them first in the Terminal, since the Console app won't have permission...

charlie
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

where's the SSHD log? I want to see who's been logging in via ssh.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up