How to configure verbose logging for an SSH server

Verbose logging on an SSH server helps administrators track and understand every transaction occurring between the client and the server. This includes authentication attempts, data transfers, and commands executed. Not only does verbose logging aid in troubleshooting, but it also provides insights for potential security threats.

By default, OpenSSH servers log activities at a standard level, capturing basic events like user authentication. However, for debugging or heightened security monitoring, administrators might want to increase the logging level. In such cases, the verbose mode provides detailed logs which include every transaction and any failed authentication attempts.

Adjusting the log verbosity for an SSH server involves editing the sshd_config file on your server. The different levels of verbosity range from QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG1, DEBUG2, to DEBUG3, with DEBUG3 being the most verbose.

1. Open an SSH terminal to your server.
2. Navigate to the OpenSSH server's configuration directory.
3. Use your preferred text editor to open the sshd_config file.

   $ sudo nano /etc/ssh/sshd_config

4. Find the LogLevel directive within the file. If it doesn't exist, you can add it.
5. Set the LogLevel to your desired verbosity. For verbose logging, choose DEBUG1, DEBUG2, or DEBUG3.

   LogLevel DEBUG3

   Be cautious: setting the log level to DEBUG3 might flood your logs with excessive information which can quickly fill up storage space. This level is typically reserved for deep troubleshooting.

6. Save the file and exit the text editor.
7. Restart the SSH server to apply the changes.

   $ sudo systemctl restart sshd

   Related: How to start, restart, and stop the SSH server service

8. Verify the logging level by inspecting the SSH logs. Typically, they can be found in /var/log/auth.log or /var/log/secure, depending on the distribution.

   $ sudo tail -f /var/log/auth.log

By following the above steps, the SSH server will now capture logs in verbose mode. Remember to periodically review the logs and switch back to a normal logging level once your debugging or monitoring needs have been met. This will help conserve server resources and storage.