Monitoring ssh logins/logouts

Jakob Curdes jc at
Wed Apr 6 23:40:08 EST 2005

Darren Tucker schrieb:

> Jakob Curdes wrote:
>> we are trying to monitor ssh logins on security-critical machines 
>> with a script that scans logfiles for the relevant entries.
>> A problem ist that when the ssh connection is closed by a network 
>> interruption or by closing the window with the ssh client, we do not 
>> find a corresponding entry in the logs.
> Which OpenSSH version, and is it a vendor-supplied package or 
> self-compiled?
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 self-compiled.

> I think sshd should update last on disconnects, if it doesn't it 
> should be investigated.
I checked in what situations the problem occurs - it turns out that most 
closed connections are displayed properly by last.
Problems arise e.g. when the session is closed through a reconnectiing 
DSL router, those connections are displayed as "sill logged in" while 
the connection on the client side has been closed long ago.

> The optional audit code in 4.0p1 and will catch these disconnect 
> events and syslog them if you enable it (configure --with-audit=debug).
I will play around with that option and see if we can excerpt the 
relevant information from the additional messages.

Thank you for your hints,

Jakob Curdes

More information about the openssh-unix-dev mailing list