Enable SSH audit logging

Learn how to set up SSH audit logging on a Linux Ubuntu server

An SSH audit log records details about who accessed a server, what was accessed, and when the access occurred. This security-relevant, chronological record documents the sequence of activities impacting a specific operation, procedure, event, or device.

Enabling SSH audit logging, offers you the following benefits:

  • Satisfy regulatory requirements for data and system access

  • Help detect and respond to unauthorized or suspicious activities

  • Facilitates reconstructing events to understand and correct problems that contributed to operational disruptions

  • Provide insights to improve system performance

  • Assist with regular system auditing

  • Enable monitoring staff usage and driving accountability


Set up SSH audit logging

Follow these steps to set up SSH audit logging on a Linux Ubuntu server:

  1. At the terminal prompt, configure the SSH server to enable logging.

    sudo nano /etc/ssh/sshd_config  
    LogLevel VERBOSE  
    SyslogFacility AUTHPRIV
  2. Install the auditd package.

    sudo apt update && sudo apt install auditd

    \

  3. In /etc/audit/auditd.conf, define the configuration information for the audit daemon.

    sudo nano /etc/audit/auditd.conf  
    auditd -l -f /var/log/audit/audit.log  
    max_log_file = 50  
    max_log_file_action = keep_logs
  4. In /etc/audit/rules.d/audit.rules, define the audit rules for the SSH server.

    sudo nano /etc/audit/rules.d/audit.rules  
    -w /var/run/sshd -p wa -k sshd  
    -a exit,always -F arch=b64 -F euid=0 -S session  
    -a exit,always -F arch=b64 -F euid=0 -S execve -k ssh_commands
  5. Restart the SSH service.

    sudo systemctl restart ssh.service
  6. Restart the auditd service.

    sudo systemctl restart audit.service

Last updated

Was this helpful?