I want to log every SSH login attempts, both successful and not, to my FreeBSD server to a file, and daily mail this log to root.
I could accomplish something like this by parsing /var/log/auth.log
, but a) this contains more than login attempts, and b) it could be turned over since yesterday's run. Is there a more direct way of doing this; for instance a hook in SSHd or login configuration to log each login?
Best Answer
The default is to log to the
AUTH
facility. You can change thefacility
that sshd logs to with theSyslogFacility
configuration option.Then configure your syslogd to write local7.* to it's own file by adding
to the syslogd configuration file. Tell syslogd to reread it's config file by sending it a
HUP
signal do the same for sshd and you should have sshd messages being sent to it's own file.