Enable SSH audit logging

Learn how to set up SSH audit logging on a Linux Ubuntu server

An SSH audit log records details about who accessed a server, what was accessed, and when the access occurred. This security-relevant, chronological record documents the sequence of activities impacting a specific operation, procedure, event, or device.

Enabling SSH audit logging, offers you the following benefits:

Satisfy regulatory requirements for data and system access
Help detect and respond to unauthorized or suspicious activities
Facilitates reconstructing events to understand and correct problems that contributed to operational disruptions
Provide insights to improve system performance
Assist with regular system auditing
Enable monitoring staff usage and driving accountability

Set up SSH audit logging

Since use cases vary widely, be sure to test and customize the configuration settings and audit rules for your specific use case.

Follow these steps to set up SSH audit logging on a Linux Ubuntu server:

At the terminal prompt, configure the SSH server to enable logging.

sudo nano /etc/ssh/sshd_config  
LogLevel VERBOSE  
SyslogFacility AUTHPRIV

Install the auditd package.

sudo apt update && sudo apt install auditd

In /etc/audit/auditd.conf, define the configuration information for the audit daemon.

sudo nano /etc/audit/auditd.conf  
auditd -l -f /var/log/audit/audit.log  
max_log_file = 50  
max_log_file_action = keep_logs

In /etc/audit/rules.d/audit.rules, define the audit rules for the SSH server.

sudo nano /etc/audit/rules.d/audit.rules  
-w /var/run/sshd -p wa -k sshd  
-a exit,always -F arch=b64 -F euid=0 -S session  
-a exit,always -F arch=b64 -F euid=0 -S execve -k ssh_commands

Restart the SSH service.
```
sudo systemctl restart ssh.service
```
Restart the auditd service.
```
sudo systemctl restart audit.service
```

Last updated 1 year ago

Was this helpful?

hashtagSet up SSH audit logging

Set up SSH audit logging