# Enable SSH audit logging An SSH audit log records details about who accessed a server, what was accessed, and when the access occurred. This security-relevant, chronological record documents the sequence of activities impacting a specific operation, procedure, event, or device. Enabling SSH audit logging, offers you the following benefits: * Satisfy regulatory requirements for data and system access * Help detect and respond to unauthorized or suspicious activities * Facilitates reconstructing events to understand and correct problems that contributed to operational disruptions * Provide insights to improve system performance * Assist with regular system auditing * Enable monitoring staff usage and driving accountability *** ### Set up SSH audit logging {% hint style="warning" %} Since use cases vary widely, be sure to test and customize the configuration settings and audit rules for your specific use case. {% endhint %} Follow these steps to set up SSH audit logging on a Linux Ubuntu server: 1. At the terminal prompt, configure the SSH server to enable logging. ```shell sudo nano /etc/ssh/sshd_config LogLevel VERBOSE SyslogFacility AUTHPRIV ``` 2. Install the [`auditd`](https://manpages.ubuntu.com/manpages/noble/en/man8/auditd.8.html) package. ```shell sudo apt update && sudo apt install auditd ``` \\ 3. In [**/etc/audit/auditd.conf**](https://manpages.ubuntu.com/manpages/noble/en/man5/auditd.conf.5.html), define the configuration information for the audit daemon. ```shell sudo nano /etc/audit/auditd.conf auditd -l -f /var/log/audit/audit.log max_log_file = 50 max_log_file_action = keep_logs ``` 4. In [**/etc/audit/rules.d/audit.rules**](https://manpages.ubuntu.com/manpages/noble/en/man7/audit.rules.7.html), define the audit rules for the SSH server. ```shell sudo nano /etc/audit/rules.d/audit.rules -w /var/run/sshd -p wa -k sshd -a exit,always -F arch=b64 -F euid=0 -S session -a exit,always -F arch=b64 -F euid=0 -S execve -k ssh_commands ``` 5. Restart the SSH service. ```shell sudo systemctl restart ssh.service ``` 6. Restart the `auditd` service. ```shell sudo systemctl restart audit.service ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.apono.io/docs/audits-and-reports/enable-ssh-audit-logging.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.