Question 1

Where are SSH authentication logs stored on Ubuntu or Debian?

Accepted Answer

On Debian and Ubuntu systems, SSH authentication logs are stored in /var/log/auth.log. This file logs successful and failed login attempts, sudo failures, and SSH errors.

Question 2

What is the equivalent log file on CentOS or RHEL?

Accepted Answer

CentOS and RHEL use /var/log/secure to log SSH authentication attempts, sudo events, and other security-related messages.

Question 3

How do I monitor SSH logs in real-time?

Accepted Answer

You can use 'tail -f /var/log/auth.log' (Debian/Ubuntu) or 'tail -f /var/log/secure' (RHEL/CentOS) to monitor logs in real-time as authentication events occur.

Question 4

How can I check the last 50 SSH log entries using systemd?

Accepted Answer

On systemd-based distributions like Ubuntu or CentOS 7+, use the command 'journalctl -u sshd -n 50' to display the last 50 SSH-related log entries.

Question 5

How do I find failed sudo authentication attempts?

Accepted Answer

Run 'grep "sudo:" /var/log/auth.log | grep "authentication failure"' to extract failed sudo attempts from the authentication log.

Auth.log