[SOLVED] How to get the seccessful ssh connection log info ?

luofeiyu · 11-11-2017, 06:43 PM

OS: centos7.

Code:

cat /var/log/secure
Nov 11 19:34:03 myvps sshd[9230]: Failed password for root from 59.63.188.36 port 55281 ssh2
Nov 11 19:34:03 myvps sshd[9230]: Received disconnect from 59.63.188.36: 11:  [preauth]
Nov 11 19:34:03 myvps sshd[9230]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.63.188.36  user=root
Nov 11 19:34:42 myvps sshd[9234]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.63.188.36  user=root
Nov 11 19:34:44 myvps sshd[9234]: Failed password for root from 59.63.188.36 port 46377 ssh2
Nov 11 19:34:46 myvps sshd[9234]: Failed password for root from 59.63.188.36 port 46377 ssh2
Nov 11 19:34:48 myvps sshd[9234]: Failed password for root from 59.63.188.36 port 46377 ssh2
Nov 11 19:34:48 myvps sshd[9234]: Received disconnect from 59.63.188.36: 11:  [preauth]
Nov 11 19:34:48 myvps sshd[9234]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.63.188.36  user=root
Nov 11 19:35:30 myvps sshd[10244]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0

ALL of them are failed connection , no successful connection.

No info on the coommand.

Code:

cat /var/log/secure   |grep  succ

How to get the seccessful ssh connection log info ?

luofeiyu · 11-11-2017, 07:47 PM

cat /var/log/secure |grep Accepted

Turbocapitalist · 11-12-2017, 01:02 AM

Or you could write a more concise variant by avoiding the cat, which is not necessary:

Code:

grep Accepted /var/log/secure

Another option, if there are a lot of other non-SSH related log entries would be to use AWK to guarantee that "Accepted" lines are only shown for SSH:

Code:

awk '$5~/sshd/ && $6="Accepted"' /var/log/secure

The $5 and $6 refer to the fifth and sixth fields respectively. The ~// binds the pattern search to the preceding field, which in that case is the fifth.