How to configure the log level for an SSH server

Adjusting the log level on an SSH server enables detailed visibility into connection attempts, authentication failures, and session activity, which is essential for troubleshooting and security auditing.

The OpenSSH daemon reads its configuration from /etc/ssh/sshd_config and writes messages through the system logging facility, commonly to /var/log/auth.log on Ubuntu and /var/log/secure on many RHEL-derived systems, using the LogLevel directive to control how much detail is recorded for each connection.

Increasing the LogLevel to VERBOSE or DEBUG3 can generate a large volume of log data and slightly increase CPU and disk usage, so such settings are best kept temporary for troubleshooting; the examples here target Ubuntu systems using systemd, while other Linux distributions use the same LogLevel directive but may log to different files.

Related: How to view SSH server configuration
Related: How to manage failed login attempts in SSH

Steps to configure verbose logging for SSH server:

  1. Open a terminal session on the SSH server with a user account that can run sudo. 
    $ whoami
user
  2. Create a backup copy of the current /etc/ssh/sshd_config file. 
    $ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak-$(date +%Y%m%d%H%M%S)

    Mis-editing /etc/ssh/sshd_config can prevent new SSH logins, so keeping a backup simplifies rollback if a mistake is made.

  3. Open the /etc/ssh/sshd_config file in a text editor. 
    $ sudo vi /etc/ssh/sshd_config

    Any preferred text editor such as nano, vim, or vi can be used for editing the configuration file.

  4. Locate the LogLevel directive in the file, or add it near the other global settings if it is missing. 
    LogLevel INFO

    If a LogLevel line is present but starts with #, removing the hash activates the directive.

  5. Set the LogLevel to a more verbose value such as VERBOSE or DEBUG3 for detailed troubleshooting. 
    LogLevel DEBUG3

    Valid LogLevel values are QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG1, DEBUG2, and DEBUG3, with DEBUG3 being the most verbose.

    High verbosity, especially DEBUG3, can quickly grow log files and consume disk space, so it should only be used temporarily.

  6. Save the changes in the editor and return to the shell prompt.
  7. Test the sshd configuration for syntax errors before restarting the service. 
    $ sudo sshd -t

    No output from sshd -t indicates that the configuration syntax is valid.

    Related: How to test SSH server configuration

  8. Restart the ssh service to apply the new log level. 
    $ sudo systemctl restart ssh

    Related: How to manage the SSH server service with systemctl in Linux

  9. Check the ssh service status for an active state and recent log messages. 
    $ sudo systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/usr/lib/systemd/system/ssh.service; enabled; preset: enabled)
     Active: active (running) since Sat 2026-01-10 12:26:08 +08; 144ms ago
TriggeredBy: ● ssh.socket
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 13469 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 13470 (sshd)
      Tasks: 1 (limit: 4546)
     Memory: 2.7M (peak: 3.6M)
        CPU: 33ms
     CGroup: /system.slice/ssh.service
             └─13470 \"sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups\"
##### snipped #####
  10. Monitor the authentication log to confirm that verbose SSH entries are being recorded. 
    $ sudo tail -f /var/log/auth.log
2026-01-10T12:26:08.518005+08:00 host sshd[13522]: debug2: ssh_set_newkeys: mode 1
2026-01-10T12:26:08.518023+08:00 host sshd[13522]: debug1: rekey out after 134217728 blocks
2026-01-10T12:26:08.518035+08:00 host sshd[13522]: debug1: ssh_packet_set_postauth: called
2026-01-10T12:26:08.518046+08:00 host sshd[13522]: debug3: ssh_packet_set_state: done
2026-01-10T12:26:08.518078+08:00 host sshd[13522]: debug3: notify_hostkeys: key 0: ssh-rsa SHA256:sDNV71xbU2q87h3UsM6EarMU1qUECXm6WBmO5z+xPH8
##### snipped #####

    On some Linux systems, SSH authentication messages appear in /var/log/secure or only in the systemd-journald log, which can be viewed with journalctl -u ssh.

  11. Return the LogLevel to a normal value such as INFO after troubleshooting to reduce log volume. 
    LogLevel INFO

    Leaving DEBUG3 enabled permanently increases noise in the logs and may hide important events among excessive debug messages.