How to configure the log level for an SSH server

Verbose logging on an SSH server allows administrators to capture detailed records of server activities. This includes authentication attempts, data transfers, and executed commands. Adjusting the LogLevel is useful for both troubleshooting and monitoring potential security issues.

The default OpenSSH server configuration logs only basic events, primarily related to user authentication. To capture more detailed information, you can modify the sshd_config file to increase the log verbosity. This setting helps identify issues or monitor specific activities more closely.

It's important to balance the need for detailed logs with server performance. High verbosity levels can generate large amounts of data, which might strain server resources. After completing your monitoring or troubleshooting, reduce the LogLevel to prevent excessive log data.

1. Open the terminal on your SSH server.
2. Open the sshd_config file in the server's configuration directory.

   $ sudo vi /etc/ssh/sshd_config

3. Find the LogLevel directive in the file, or add it if it's missing.

   Uncomment the LogLevel directive if it’s commented.

4. Set the LogLevel to the desired verbosity level.

   LogLevel DEBUG3

   The possible LogLevel options in sshd_config are QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG1, DEBUG2, and DEBUG3.

   Be cautious: setting the log level to DEBUG3 might flood your logs with excessive information which can quickly fill up storage space. This level is typically reserved for deep troubleshooting.

5. Save the changes and close the file.
6. Restart the SSH service to apply the new settings.

   $ sudo systemctl restart ssh

   Related: How to start, restart, and stop the SSH server service

7. Check the logs to confirm that the new logging level is active.

   $ sudo tail -f /var/log/auth.log

   Typically, they can be found in /var/log/auth.log or /var/log/secure, depending on the distribution.