Logging and Audit Configuration

1 min read Data Protection & Compliance

Logging and Audit Configuration

Comprehensive logging provides visibility into SSH activity, enabling security monitoring and compliance reporting. Configure logging to capture relevant events without overwhelming storage or impacting performance.

Enhanced logging configuration:

# Server-side logging configuration
# /etc/ssh/sshd_config

LogLevel VERBOSE
SyslogFacility AUTH

# Additional logging via ForceCommand wrapper
# /usr/local/bin/ssh-session-logger
#!/bin/bash

# Log session start
logger -t ssh-session -p auth.info "Session start: user=$USER from=${SSH_CLIENT%% *} command=${SSH_ORIGINAL_COMMAND:-interactive}"

# Record session
script -q -t 2>/var/log/ssh-sessions/$USER-$(date +%Y%m%d-%H%M%S).time \
    /var/log/ssh-sessions/$USER-$(date +%Y%m%d-%H%M%S).log

# Log session end
logger -t ssh-session -p auth.info "Session end: user=$USER"

Configure centralized logging:

# rsyslog configuration for SSH logs
# /etc/rsyslog.d/ssh.conf

# Local SSH log file
:programname, isequal, "sshd" /var/log/ssh.log
& stop

# Forward to central syslog server
*.* @@syslog.example.com:514

# Log format template
$template SSHLogFormat,"%timegenerated% %hostname% %syslogtag% %msg%\n"

# Rate limiting for logs
$SystemLogRateLimitInterval 5
$SystemLogRateLimitBurst 500