How To Create Separate SSH Log File for Specific SSH Clients

By default, OpenSSH dumps log messages to /var/log/secure authentication log file. The need to log particular host or group of IP address to separate SSH log file is needed at times to further log SSH details for further record and monitoring.

Create Separate SSH Log File for Particular SSH Client Log Attempts

Here's how to log particular SSH client to separate SSH log file.

Step One

Create the separate SSH log file

# touch /var/log/abusive.log

and make sure it is readable and writable by root.

# chmod 600  /var/log/abusive.log

Step Two

Modify /etc/hosts.allow and append a similar line shown below

sshd:  83.83.83.83 : spawn /bin/echo `/bin/date` from %h %u >> /var/log/abusive.log

Alternatively, you can log a group of hosts to separate SSH log file

sshd: *.google.com : spawn /bin/echo `bin/date` from %h %c >> /var/log/abusive.log

To group SSH clients to particular log gile

sshd: *.yahoo.com : spawn /bin/echo `bin/date` from %h %c >> /var/log/yahoo-ssh.log

Save and exit. Noticed that we use the SPAWN tcp wrapper operator to log every hosts under google.com and dump the corresponding date of SSH login attempt to /var/log/abusive.log SSH log file.

Now, to log to separate SSH log file and completely deny particular host under google.com domain, simply

sshd: *.google.com : spawn /bin/echo `bin/date` from %h %c >> /var/log/abusive.log : deny

Save and exit.

No need to restart any services like SSH or XInet .

Supported Parameter Expansions

Below is a list of supported expansions:

• %a — The client's IP address.


• %A — The server's IP address.


• %c — Supplies a variety of client information, such as the username and hostname, or the username and IP address.


• %d — The daemon process name.


• %h — The client's hostname (or IP address, if the hostname is unavailable).


• %H — The server's hostname (or IP address, if the hostname is unavailable).


• %n — The client's hostname. If unavailable, unknown is printed. If the client's hostname and host address do not match, paranoid is printed.


• %N — The server's hostname. If unavailable, unknown is printed. If the server's hostname and host address do not match, paranoid is printed.


• %p — The daemon process ID.


• %s — Various types of server information, such as the daemon process and the host or IP address of the server.


• %u — The client's username. If unavailable, unknown is printed.

Monitoring Separate SSH Log File

# tailf /var/log/abusive.log

Log File

Similar SSH log lines from /var/log/abusive.log would be

Fri Jul 25 10:26:52 WAT 2008 from hostname.google.com

The above should work out right with RedHat, CentOS, Fedora, White OS distros.

All is done.