修改SSHD服务日志记录

1、修改SSH程序

[root@server01 ~]# vim  /etc/ssh/sshd_config 

将SyslogFacility AUTHPRIV改为SyslogFacility local5

2、修改日志程序

[root@server01 ~]#Vim /etc/syslog.conf

添加如下两行：

＃ save sshd messages also to sshd.log

local5.*  /data/log/sshd.log

3、重启sshd和syslog服务

然后你可以使用ssh来登录看看发现与sshd有关的信息都记录到了sshd.log中。不在是messages。

4、从server02尝试登陆server01

[root@server02 ~]# ssh server01

root@server01's password: 

Last login: Mon Aug 28 01:53:43 2017 from server02

[root@server01 ~]# exit

logout

Connection to server01 closed.

[root@server02 ~]# 

5、查看登陆日志

[root@server01 ~]# tail -f /data/log/sshd.log 

Aug 28 01:56:30 server01 sshd[52123]: Accepted password for root from 192.168.112.141 port 54508 ssh2

Aug 28 01:56:45 server01 sshd[52123]: Received disconnect from 192.168.112.141: 11: disconnected by user

      本文转自027ryan  51CTO博客，原文链接：http://blog.51cto.com/ucode/1959897，如需转载请自行联系原作者