This is just a quick note, and this does apply to other systems that use rsyslog. Following these steps will help you setup your SSHD service so that all events are logged to a specific file of your choosing.
Choose an unused local facility. For example local3 is not used for any logging in your system. So first edit /etc/sshd_config configuration file.
#SyslogFacility AUTH
SyslogFacility local3
Now configure rsyslog to log local3 logs to a file that you need. Add the following to your /etc/rsyslog.conf .
#Logging sshd to another file. Using local3 facility.
local3.* /SOME/PATH/YOU/WANT/YOUR/SSHD/LOGS/TO-BE.logWhere /SOME/PATH/YOU/WANT/YOUR/SSHD/LOGS/TO-BE.log of course should be replaced by the location of the file where you want to redirect your sshd logs, sensibly I hope that could be /var/log/sshd.log .
Then as usual, restart the service:
service rsyslogd restart It should be noted that I do not take credit for this, I googled around for this and found the answer at the original link here.
Logging specific SFTP and SSH Activity:
The second part of this is I wanted more thorough logging of the SFTP service as well. I decided to go ahead and modify my config file and modified SubSystem line to appear like the following:
Subsystem sftp /usr/libexec/openssh/sftp-server -l VERBOSE -f local3
I figured I should throw together a quick post about it so those who are using more modern Linux distros will know what might or might not work.
That’s All!
This is an issue I have kind of been running into lately it seems. The documentation on the current releases of packages built into the Linux is lacking at times, and others there seems to be mystery around exactly which method is most effective towards solving a problem.