File Transfer Audit Logs
If you have enabled file transfer auditing, logs are created by default in /etc/ssh2/logs. You can configure a non-default location using AuditLog.Directory.
Login Information
The output location for login information is platform-dependent. For details refer to the following table.
Platform |
Login history |
Current login |
Failed login |
---|---|---|---|
HPUX (11.11) |
/var/adm/wtmp |
/etc/utmp |
/var/adm/btmp |
HPUX (11.23, 11.31) |
/var/adm/wtmps |
/etc/utmpx |
/var/adm/btmps |
AIX |
/var/adm/wtmp/etc/security/lastlog |
/etc/utmp |
|
Solaris |
/var/adm/wtmpx |
/var/adm/utmpx |
/var/adm/loginlog |
RHEL |
/var/log/lastlog /var/log/wtmp |
/var/run/utmp |
/var/log/btmp |
SLES |
/var/log/wtmp |
/var/run/utmp |
/var/log/btmp |
NOTE:
Some platforms write to more than one file.
On some Linux systems, btmp is not present. The server writes to this database if it is present.
The output for sshd and sftp-server messages is affected by both Reflection for Secure IT configuration and syslogd configuration. For example, the following entry in /etc/syslog.conf configures a facility called local6 and sends output from that facility to /var/adm/rsit_log.
NOTE:This syntax shown requires a tab between the two entries.
local6.info /var/adm/rsit_log
To configure Reflection for Secure IT to send sshd messages to the local6 facility, include the following line in the server configuration file (/etc/ssh2/sshd2_config).
SysLogFacility local6