Where to Find SSH Authentication Logs on Ubuntu

Locating and analyzing SSH login attempts is a critical task for maintaining the security of an Ubuntu server. This article explains the exact location of SSH authentication logs on Ubuntu, how to view them using standard command-line tools, and how to filter the log files to identify successful and failed connection attempts.

The Primary SSH Log File: /var/log/auth.log

On Ubuntu systems, the primary location for all authentication-related events, including SSH logins, is the /var/log/auth.log file.

To view this file, you need administrator (sudo) privileges.

Viewing the Log File

You can use standard Linux terminal utilities to read the authentication log.

• To view the entire log (use arrow keys to navigate and q to exit):

  sudo less /var/log/auth.log

• To view the most recent login attempts (the last 20 lines):

  sudo tail -n 20 /var/log/auth.log

• To monitor login attempts in real-time as they happen:

  sudo tail -f /var/log/auth.log

Filtering for SSH Events

Because the auth.log file records all system authentication events, it is best to filter the results specifically for the SSH daemon (sshd).

• Find all SSH log entries:

  sudo grep "sshd" /var/log/auth.log

• Find failed SSH login attempts (useful for spotting brute-force attacks):

  sudo grep "sshd.*Failed" /var/log/auth.log

• Find successful SSH logins:

  sudo grep "sshd.*Accepted" /var/log/auth.log

Querying Logs with systemd-journald

Modern versions of Ubuntu also record system logs, including SSH events, using the systemd-journald service. You can query these logs directly using the journalctl utility.

• To view all logs for the SSH service:

  sudo journalctl -u ssh

• To view SSH logs in real-time:

  sudo journalctl -f -u ssh

• To view SSH logs from today only:

  sudo journalctl -u ssh --since today