SSH logs

  • LibreELEC uses systemd which has a centralised journal for logging, rather than the traditional older /var/log/syslog method.

    Query the journal with journalctl .

    e.g.

    Code
    journalctl |grep ssh
  • yep I did 😉

    Well jurnalctl is very usefull! Thanks for that! But I do need log file still to configure fail2ban which is included in letsencrypt docker addon.

    Anyone can point me where accepted and failed logins to ssh are stored ?

  • Can't see any location for acces log file here :( Thanks vpeter!

    You're always trying to help! 😊


    sshd.service - OpenSSH server daemon
    Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled; vendor preset: disabled)
    Active: active (running) since Fri 2019-05-31 19:10:06 IST; 1 day 15h ago
    Main PID: 293 (sshd)
    Memory: 10.6M
    CGroup: /system.slice/sshd.service
    ├─ 293 /usr/sbin/sshd -D
    ├─22426 sshd: root@notty
    ├─22432 /usr/lib/openssh/sftp-server
    ├─24282 sshd: root@pts/1
    ├─24284 -sh
    └─24301 systemctl status sshd -l --no-pager

  • I don't know if there is any such log file. BUt i see with command above

    Code
    Jun 02 11:25:22 LibreELEC sshd[1340]: Failed password for root from 192.168.2.3 port 47442 ssh2
    Jun 02 11:25:22 LibreELEC sshd[1340]: Connection closed by authenticating user root 192.168.2.3 port 47442 [preauth]

    Maybe some cron job could create log file with grepping systemctl status.

  • yep it works for me as well :) I can see login attempts but need them in log file 😉 Just wondering if changing /etc/systemd/system.conf would help ?

    We have logtarget here :)

  • edit file /storage/.cache/services/sshd.conf and change/add -E log_file

    Code
    SSH_ARGS="-E /var/log/sshd.log"

    restart sshd service

    Code
    systemctl restart sshd

    check log file /var/log/sshd.log

    Code
    cat /var/log/sshd.log
  • Got another question ;) How can I preserve those changes between and after reboots ?

    My log looks like this one below and I would like to have timestamps as well ? Any chances vpeter ? :)

  • Well, then one option is to fix sshd service file.

    First remove added SSH_ARGS value from /storage/.cache/services/sshd.conf file.

    Then copy sshd service file to storage and change ExecStart line.

    Code
    cp /usr/lib/systemd/system/sshd.service /storage/.config/system.d/
    vi /storage/.config/system.d/sshd.service
    
    ExecStart=/bin/sh -c "/usr/sbin/sshd -D $SSH_ARGS -e 2>&1 | awk '{print strftime(\"[%%Y-%%m-%%d %%H:%%M:%%S] \") $0}' >>/var/log/sshd.log"
    
    systemctl daemon-reload
    systemctl restart sshd
    systemctl status sshd -l --no-pager