Monitoring ssh logins/logouts

Darren Tucker dtucker at
Wed Apr 6 21:49:52 EST 2005

Jakob Curdes wrote:
> we are trying to monitor ssh logins on security-critical machines with a 
> script that scans logfiles for the relevant entries.
> A problem ist that when the ssh connection is closed by a network 
> interruption or by closing the window with the ssh client, we do not 
> find a corresponding entry in the logs.

Which OpenSSH version, and is it a vendor-supplied package or self-compiled?

> "last" does not show this 
> information either, at least on our systems which are RedHat Linux 
> based. Is there any way to record a "User gone" or so ? At a certain 
> point, the daemon closes the connection when the client has gone away; 
> would it be possible to log this ?

I think sshd should update last on disconnects, if it doesn't it should be 

> I would be grateful for a hint.

The optional audit code in 4.0p1 and will catch these disconnect events 
and syslog them if you enable it (configure --with-audit=debug).

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list