Reputation: 326
Mac OS Sierra log show missing SSH source IP
Before, we can track all the SSH logins either success/failure in OS X El Capitan. When moved to OS Sierra, It seems that all the logs were moved which can be viewed by log show, log stream, and syslog. We can't track the source IP of an SSH process by looking those logs. e.g. :
Jun 27 15:38:47 MAC sshd: administrator [priv][240] <Notice>: USER_PROCESS: 243 ttys000
Jun 27 15:39:34 MAC sshd: administrator [priv][249] <Notice>: USER_PROCESS: 257 ttys001
Jun 27 15:42:50 MAC sshd: administrator [priv][249] <Notice>: DEAD_PROCESS: 257 ttys001
Screen sharing logs works perfectly just like before:
screensharingd: Authentication: SUCCEEDED :: User Name: administrator :: Viewer Address: 10.X.X.X :: Type: DH
Though we can see the logs of sshd if the attempt failed:
sshd: error: PAM: authentication error for administrator from 10.10.5.73
Any help will be greatly appreciated.
Thank you very much.
Upvotes: 0
Views: 1577
Answers (3)
Reputation: 1
This command will show SSH login attempts with source IP stored in ram.
log show --predicate 'process == "sshd"' --info | grep 'Info'
Upvotes: 0
Reputation: 36
Try with this command:
log stream --info --predicate 'processImagePath contains[c] "sshd"'
It will log the successful and failed attempts.
Upvotes: 2
Reputation: 326
I've found out that SSH logs can be shown using this command:
log show --style JSON | grep "ssh"
Upvotes: 1
Related Questions
- Remote host Identification has changed
- Docker container sshd logs
- .ssh/config: "Bad configuration option: UseKeychain" on Mac OS Sierra 10.12.6
- How to get rid of "REMOTE HOST IDENTIFICATION HAS CHANGED" message
- All reasons that raise a ssh remote host identification has changed
- After update Mac OS Sierra, Can not use ssh login remote system,how can I fix this?
- Where to find sshd logs on MacOS sierra
- Mac, known_hosts location not default?
- stop ssh :channel x: open failed: connect failed: connection refused" logging
- Strange openssh-server log in /var/log/auth.log