Where to find SSH Login log files on centos
On CentOS login information is logged in /var/log/secure
, not /var/logs/auth.log
.
In Centos 7 the SSH logs are located at "/var/log/secure"
If you want to monitoring in real time, you may use the tail command as shown below:
tail -f -n 50 /var/log/secure | grep sshd
lastlog(8)
will report the most recent information from the /var/log/lastlog
facility, if you have pam_lastlog(8)
configured.
aulastlog(8)
will make a similar report, but from the audit logs in /var/log/audit/audit.log
. (Recommended, as auditd(8)
records are harder to tamper with than syslog(3)
records.)
ausearch -c sshd
will search your audit logs for reports from the sshd
process.
last(8)
will search through /var/log/wtmp
for the most recent logins. lastb(8)
will show bad login attempts
.
/root/.bash_history
might contain some details, assuming the goober who fiddled with your system was incompetent enough to not remove it before logging out.
Make sure you check ~/.ssh/authorized_keys
files for all users on the system, check crontab
s to make sure no new ports are scheduled to be opened at some point in the future, etc.
Note that all logs stored on the local machine are suspect; the only logs you can realistically trust are forwarded to another machine that wasn't compromised. Perhaps it would be worth investigating centralized log handling via rsyslog(8)
or auditd(8)
remote machine handling.
You can also try:
grep sshd /var/log/audit/audit.log
And:
last | grep [username]
or
last | head