# Enable SSH audit logging

An SSH audit log records details about who accessed a server, what was accessed, and when the access occurred. This security-relevant, chronological record documents the sequence of activities impacting a specific operation, procedure, event, or device.

Enabling SSH audit logging, offers you the following benefits:

* Satisfy regulatory requirements for data and system access
* Help detect and respond to unauthorized or suspicious activities
* Facilitates reconstructing events to understand and correct problems that contributed to operational disruptions
* Provide insights to improve system performance
* Assist with regular system auditing
* Enable monitoring staff usage and driving accountability

***

### Set up SSH audit logging

{% hint style="warning" %}
Since use cases vary widely, be sure to test and customize the configuration settings and audit rules for your specific use case.
{% endhint %}

Follow these steps to set up SSH audit logging on a Linux Ubuntu server:

1. At the terminal prompt, configure the SSH server to enable logging.

   ```shell
   sudo nano /etc/ssh/sshd_config  
   LogLevel VERBOSE  
   SyslogFacility AUTHPRIV
   ```
2. Install the [`auditd`](https://manpages.ubuntu.com/manpages/noble/en/man8/auditd.8.html) package.

   ```shell
   sudo apt update && sudo apt install auditd
   ```

   \\
3. In [**/etc/audit/auditd.conf**](https://manpages.ubuntu.com/manpages/noble/en/man5/auditd.conf.5.html), define the configuration information for the audit daemon.

   ```shell
   sudo nano /etc/audit/auditd.conf  
   auditd -l -f /var/log/audit/audit.log  
   max_log_file = 50  
   max_log_file_action = keep_logs
   ```
4. In [**/etc/audit/rules.d/audit.rules**](https://manpages.ubuntu.com/manpages/noble/en/man7/audit.rules.7.html), define the audit rules for the SSH server.

   ```shell
   sudo nano /etc/audit/rules.d/audit.rules  
   -w /var/run/sshd -p wa -k sshd  
   -a exit,always -F arch=b64 -F euid=0 -S session  
   -a exit,always -F arch=b64 -F euid=0 -S execve -k ssh_commands
   ```
5. Restart the SSH service.

   ```shell
   sudo systemctl restart ssh.service
   ```
6. Restart the `auditd` service.

   ```shell
   sudo systemctl restart audit.service
   ```