SSH Auth Log Missing?

Hey I’m a noob and have a really small problem.
Where are the ssh logs located?

As far as I know, you could see who has accessed the Pi from

/var/log/auth.log

That file doesn’t exist in my Pi. Where can I access this info?

Hi,

many thanks for your message. If you default SSH server Dropbear, login attemps are visible within journalctl -u dropbear.service

root@DietPi3:~# journalctl -u dropbear.service
-- Logs begin at Thu 2019-02-14 11:11:58 CET, end at Tue 2020-10-27 16:03:49 CET. --
Oct 27 15:54:56 DietPi3 systemd[1]: Starting LSB: Lightweight SSH server...
Oct 27 15:54:56 DietPi3 dropbear[400]: Starting Dropbear SSH server: dropbear.
Oct 27 15:54:56 DietPi3 dropbear[405]: Running in background
Oct 27 15:54:56 DietPi3 systemd[1]: Started LSB: Lightweight SSH server.
Oct 27 15:58:43 DietPi3 dropbear[437]: Child connection from 192.168.x.x:52454
Oct 27 15:58:47 DietPi3 dropbear[437]: Password auth succeeded for 'root' from 192.168.x.x:52454
Oct 27 16:03:40 DietPi3 dropbear[573]: Child connection from 192.168.x.x:52674
Oct 27 16:03:49 DietPi3 dropbear[573]: Password auth succeeded for 'dietpi' from 192.168.x.x:52674

Thanks for help, unfortunately I’m currently using OpenSSH and there doesn’t seem to be an openssh.service like dropbear.

just use journalctl -u ssh.service

Oh… that works. Thank you!

Hello, how fail2ban can have access to this file : journalctl -u ssh.service

?

Thanks

usually fail2ban should/will read directly from systemd log.

Exactly, it uses the systemd backend to read from journal when installed via dietpi-software, so no plain text log files are required. Check /etc/fail2ban/jail.conf.

1 Like