# Script for sshd logs

## Bigun

I'm needing some good scripts for grepping sshd messages out of /var/log/messages (I use syslog-ng).  Something that I can cron and keep organized weekly, daily or whatever.

I could make my own script, but I don't know real detailed bash scripting.

----------

## Dizzutch

don't all sshd messages in syslog start with [sshd]? in that case you could just stick

grep sshd /var/adm/messages > /home/user/sshd.log in your crontab.

-Dizz

----------

## Bigun

Exactly.... but I would like to seperate them by date and so forth, and I don't have the bash scripting skills to do so.

----------

## Dizzutch

ah, i don't use syslog-ng so i don't know what the output looks like, but you could just put a bunch of grep statements in a file

ex.

```

#!/bin/bash

#all sshd messages

grep sshd /var/adm/messages > /home/user/sshd.log

#all messages concerning my user

grep username /home/user/sshd.log > /home/user/sshd_me.log

#all messages concerning root trying to log in

grep root /home/user/sshd.log > /home/user/sshd_root.log

```

etc. that's the simplest i can come up with right now.

if you replace > with >> it'll append to the file, not overwrite it.

----------

## Bigun

Hmmm... perhaps this then:

```

#!/bin/bash

# Grep the SSHD messages out

grep sshd /var/log/messages >> /var/log/sshd.log

# Save the old logfile so it doesn't get overwritten

cat /var/log/messages >> /var/log/messages.processed.log

# Remove the messages file so there are no duplicate logs when it gets cronned next time

rm /var/log/messages

#renew the messages file from scratch

/etc/init.d/syslog-ng restart

```

----------

## Dizzutch

that could definitly work.

----------

## commandline

perhaps you could also edit /etc/syslog-ng/syslog-ng.conf   :Wink: 

----------

## Bigun

What would you add to do such a thing?

----------

## Dizzutch

what does it look like now? could you post the config file?

----------

## commandline

 *bigun89 wrote:*   

> What would you add to do such a thing?

 

something like this:

filter f_ssh { match("sshd2"); };

destination ssh { file("/var/log/ssh.log"); };

log { source(src); filter(f_ssh); destination(ssh); };

----------

## Bigun

```
filter f_ssh { match("sshd"); };

destination ssh { file("/var/log/ssh.log"); };

log { source(src); filter(f_ssh); destination(ssh); };
```

Works Perfect...  you can even customize down to the type of error... nice

----------

## dpc

I know you may be writing ssh logs out to ssh.log now, but I wanted to advise against rm'ing /var/log/messages.  There's a lot more in there besides just SSH logs...

I use the following script to get a quick idea of successful/failed logins on my systems (I have ssh logs in auth.log)

```
#!/bin/sh

echo "Successful Logins:"

grep "sshd.*Accepted" /var/log/auth.log | cut -d\  -f7,9-12 | sort | uniq -c

echo "Failed:"

grep "sshd.*Failed" /var/log/auth.log | cut -d\  -f9-12 | sort | uniq -c

```

You could probably modify this to seperate it out by the current date and run it from a daily cronjob like so:

```
#!/bin/sh

# Retrieve today's date in the format that's used in the log file

TODAYS_DATE=`date +"%b %e"`

echo "Successful Logins:"

grep "$TODAYS_DATE.*sshd.*Accepted" /var/log/auth.log | cut -d\  -f7,9-12 | sort | uniq -c

echo "Failed:"

grep "$TODAYS_DATE.*sshd.*Failed" /var/log/auth.log | cut -d\  -f9-12 | sort | uniq -c
```

This only catches people that are using valid usernames, not those that are trying to bruceforce users.  I would also recommend Fail2Ban - this does a great job of keeping those ssh attacks out.

----------

