How to Monitor SSH Logins Using Auditd and Logwatch

Monitor SSH logins using Auditd and Logwatch

Learn how to monitor SSH logins using Auditd and Logwatch on Linux. This step-by-step guide covers setup, configuration, log analysis, and reporting to enhance server security.

Table of Contents

🔈Introduction

Secure Shell (SSH) is one of the most widely used methods for remote server administration. Because it provides a gateway into critical infrastructure, monitoring SSH activity is a fundamental part of system security. Attackers often attempt brute-force logins, exploit weak credentials, or hijack valid accounts. To detect these activities, system administrators can rely on auditd and Logwatch, two robust tools for auditing and log analysis.

This guide explains how to configure and use auditd and Logwatch to track SSH logins, generate reports, and strengthen system visibility.

📝 Why Monitor SSH Logins?

Monitoring SSH login activity is critical for the following reasons:

  • Intrusion detection: Spot brute-force attempts or unusual login times.
  • Compliance: Many regulations (e.g., PCI-DSS, HIPAA) require detailed login audit trails.
  • Forensics: Track who accessed the system, when, and from where.
  • System health: Detect misconfigured accounts or unauthorized key usage.
BenefitDescription
SecurityDetect malicious login attempts and prevent breaches
ComplianceMaintain detailed audit logs for regulatory requirements
AccountabilityAssociate login actions with specific users
TroubleshootingIdentify failed login attempts and misconfigurations

🧠 Understanding Auditd and Logwatch

Before diving into configuration, let’s break down the roles of these tools:

  • auditd: The Linux Audit Daemon. It provides detailed tracking of system calls, file access, and user activity. With proper rules, it can log every SSH login event.
  • Logwatch: A customizable log analysis tool. It parses log files and produces digestible daily reports that summarize security-related activity.

Together, they provide real-time auditing and human-readable summaries.

✅ Step 1: Install Auditd and Logwatch

Most modern Linux distributions (RHEL, CentOS, Ubuntu, Debian) ship with these tools in their repositories.

				
					# RHEL / CentOS / Fedora
sudo dnf install audit audit-libs logwatch -y

# Ubuntu / Debian
sudo apt update
sudo apt install auditd logwatch -y

Enable and start the auditd service:

				
					sudo systemctl enable --now auditd

✅ Step 2: Configure Auditd for SSH Monitoring

Auditd uses rules to determine what events to log. For SSH logins, focus on authentication events recorded in /var/log/secure (RHEL-based) or /var/log/auth.log (Debian-based).

🔹Add an Audit Rule

Create a rule to watch SSH-related binaries:

				
					sudo auditctl -w /usr/sbin/sshd -p x -k ssh_logins
  • -w: Watch a file.
  • -p x: Track execution.
  • -k ssh_logins: Assigns a key for easier search.

Make the rule persistent by adding it to /etc/audit/rules.d/audit.rules:

				
					-w /usr/sbin/sshd -p x -k ssh_logins

🔹Reload Rules

				
					sudo augenrules --load

✅ Step 3: Verify Auditd Logs

SSH login attempts are now captured. Check the audit logs:

				
					sudo ausearch -k ssh_logins

Output example:

				
					type=EXECVE msg=audit(1695409657.123:456): argc=3 a0="sshd" a1="-D" a2="-f"
type=SYSCALL msg=audit(1695409657.123:456): arch=c000003e syscall=59 success=yes ...

You can also query specific user logins:

				
					sudo ausearch -ua 1001 -k ssh_logins

✅ Step 4: Configure Logwatch for SSH Analysis

Logwatch generates daily summaries of logs, including SSH login attempts.

🔹Run Logwatch Manually

				
					sudo logwatch --service sshd --detail high --range today

Sample output:

				
					--------------------- SSHD Begin ------------------------

  Authentication Failures:
     root (203.0.113.45): 25 times
     admin (198.51.100.23): 12 times

  Successful Logins:
     user1 (192.0.2.10): Thu Sep 21 10:35:12

 ---------------------- SSHD End -------------------------

🔹Automating Reports

By default, Logwatch runs as a daily cron job and sends reports via email to the system administrator (root@localhost). To customize, edit /etc/logwatch/conf/logwatch.conf:

				
					MailTo = admin@example.com
Detail = Med
Service = sshd

✅ Step 5: Combine Auditd and Logwatch Insights

Auditd logs offer granular details, while Logwatch provides digest summaries. By combining both:

  • Auditd: Use for in-depth forensic analysis and compliance.
  • Logwatch: Use for daily monitoring and operational awareness.
ToolPurposeStrength
AuditdSystem auditingGranular, kernel-level logging
LogwatchLog analysisHuman-readable reports, email alerts

✅ Step 6: Enhance Monitoring with Customization

🔹Filtering Auditd Logs

Extract only SSH failures:

				
					sudo ausearch -m USER_LOGIN -sv no

🔹Scheduling Reports

Add Logwatch to systemd timers or cron jobs for more frequent monitoring:

				
					0 */6 * * * /usr/sbin/logwatch --service sshd --detail high --range today

🔹Integrating with SIEM

Forward audit logs to a Security Information and Event Management (SIEM) tool (e.g., Splunk, ELK) for centralized monitoring.

✅ Step 7: Best Practices for SSH Monitoring

  • 🔄 Limit root logins: Disable direct root SSH access.
  • 🔄 Use key-based authentication: Stronger than passwords.
  • 🔄 Set up fail2ban: Block repeated brute-force attempts.
  • 🔄 Correlate logs: Combine auditd and system logs for context.
  • 🔄 Review reports regularly: Automating reports is not enough; analyze them.

🧰 Troubleshooting Common Issues

IssuePossible Fix
No logs generatedEnsure auditd is running (systemctl status auditd)
Logwatch not sending emailCheck /etc/logwatch/conf/logwatch.conf for MailTo settings
Too many logsUse filters in ausearch or adjust Logwatch Detail level
Duplicate reportsEnsure Logwatch is not triggered by multiple cron jobs

🏁 Conclusion

Monitoring SSH logins is a cornerstone of Linux system security. With auditd, you gain fine-grained visibility into authentication events. With Logwatch, you receive accessible reports for quick analysis. Implementing both ensures that you not only detect potential intrusions but also maintain compliance and accountability.

By proactively monitoring, reviewing reports, and correlating activity, you strengthen defenses against unauthorized access and ensure operational resilience.

Did you find this article helpful? Your feedback is invaluable to us! Feel free to share this post with those who may benefit, and let us know your thoughts in the comments section below.

📕 Related Posts
Tags

Leave a Reply

Your email address will not be published. Required fields are marked *