The SSH log file is located here (on Debian based systems): /var/log/auth.log
And to view it, just type (need root or sudo):
cat /var/log/auth.log
This file most likely contains a lot of information. At least if it’s connected to the internet. All commands run through sudo will also show in this log. Here is a few examples to grab some of the useful information out from it.
See attempts to login at non existing users (often from simple “hack” scripts)
cat /var/log/auth.log | grep ‘sshd.* Invalid’
Note the capital I in Invalid.
See attempts to login at root user
cat /var/log/auth.log | grep ‘sshd.* Failed.* root’
Note the capital F in Failed.
See successful logins
cat /var/log/auth.log | grep ‘sshd.* opened’
The grep command is a text search function. If you want to know more about how to use grep, have a look here.
Happy investigating!
About Author
