In its default configuration, SSH already creates log entries whenever someone logs in via SSH, SCP, or SFTP. On Debian/Ubuntu systems, the entry is made in the /var/log/auth.log file. On Red Hat/CentOS systems, the entry is made in the /var/log/secure file. Either way, the log entry looks something like this:

Oct  1 15:03:23 donnie-ca sshd[1141]: Accepted password for donnie from 192.168.0.225 port 54422 ssh2

Oct  1 15:03:24 donnie-ca sshd[1141]: pam_unix(sshd:session): session opened for user donnie by (uid=0)

Open the sshd_config man page and scroll down to the LogLevel item. There, you'll see the various settings that provide different levels of detail for logging SSH messages. The levels are as follows:

• QUIET
• FATAL
• ERROR
• INFO
• VERBOSE
• DEBUG or DEBUG1
• DEBUG2
• DEBUG3

Normally, the only two of these we would care about are INFO and VERBOSE. INFO is the default setting, while VERBOSE is the only other one that we would use under normal circumstances. The various DEBUG levels might come in handy for troubleshooting, but the man page warns us that using DEBUG in production settings would violate users' privacy.

Let's go ahead and get our hands dirty, just to get a feel for what gets logged with the various levels.