Where to find sshd logs on MacOS sierra

Asked 13/4, 2017 at 3:1 Answered 11/1, 2019 at 14:2

I want to install Pseudo-Distributed HBase environment on my Mac OS Sierra (10.12.4), and it requires ssh installed and can log with ssh localhost without password. But sometimes I came across with error when I use ssh to log in. Above all are question background, and the actual question is where can I find debug logs of sshd so I could know why logging is failed in further?

As I know, Mac OS already have sshd installed and use launchd to manage it, and I know one way to output debug logs by sshd -E /var/log/sshd.log, but when I reviewed /etc/ssh/sshd_config configuration and there are two lines:

#SyslogFacility AUTH
#LogLevel INFO

I guess these two lines are used to config debug mode, then I removed # before them and set LogLevel to DEBUG3 and then restarted sshd:

$ launchctl unload -w /System/Library/LaunchDaemons/ssh.plist
$ launchctl load -w /System/Library/LaunchDaemons/ssh.plist

And then I set log path in /etc/syslog.conf:

auth.*<tab>/var/log/sshd.log

<tab> means tab character here, and reloaded the config:

$ killall -HUP syslogd

But sshd.log file can not be found in /var/log folder when I executed ssh localhost. I also tried config the /etc/asl.log:

> /var/log/sshd.log format=raw
? [= Facility auth] file sshd.log

And the result was the same, can someone help me?

Farriery answered 13/4, 2017 at 3:1 Comment(0)

Apple, as usual, decided to re-invent the wheel.

In super-user window

# log config --mode "level:debug" --subsystem com.openssh.sshd
# log  stream --level debug  2>&1 | tee /tmp/logs.out

In another window

$ ssh localhost
$ exit

Back in Super-user window

^C (interrupt)
# grep sshd /tmp/logs.out
2019-01-11 08:53:38.991639-0500 0x17faa85  Debug       0x0                  37284  sshd: (libsystem_network.dylib) sa_dst_compare_internal <private>@0 < <private>@0
2019-01-11 08:53:38.992451-0500 0xb47b5b   Debug       0x0                  57066  socketfilterfw: (Security) [com.apple.securityd:unixio] open(/usr/sbin/sshd,0x0,0x1b6) = 12
...
...

In super-user window, restore default sshd logging

# log config --mode "level:default" --subsystem com.openssh.sshd

Fluctuation answered 11/1, 2019 at 14:2 Comment(0)

You can find it in /var/log/system.log. Better if you filter by "sshd":

cat /var/log/system.log | grep sshd

Sporophyte answered 26/10, 2017 at 8:13 Comment(0)

Try this

cp /System/Library/LaunchDaemons/ssh.plist /Library/LaunchDaemons/ssh.plist

Then

vi /Library/LaunchDaemons/ssh.plist

And add your -E as shown below

 <array>
                    <string>/usr/sbin/sshd</string>
                    <string>-i</string>
                    <string>-E</string>
                    <string>/var/log/system.log</string> 
 </array>

And lastly restart sshd now you will see sshd logs in /var/log/system.log

launchctl unload /System/Library/LaunchDaemons/ssh.plist && launchctl load -w /Library/LaunchDaemons/ssh.plist

Londrina answered 24/4, 2018 at 20:32 Comment(2)

Why not simply modify the /System plist instead of making a new /Library one? – Marutani 28/3, 2019 at 17:9

Edit: See my comment here – Marutani 28/3, 2019 at 17:48

I also had an ssh issue that I wanted to debug further and was not able to figure out how to get the sshd debug logs to appear in any of the usual places. I resorted to editing the /System/Library/LaunchDaemons/ssh.plist file to add a -E <log file location> parameter (/tmp/sshd.log, for example). I also edited /etc/ssh/sshd_config to change the LogLevel. With these changes, I was able to view the more verbose logs in the specified log file.

I don't have much experience with MacOS so I'm sure there is a more correct way to configure this, but for lack of a better approach this got the logs I was looking for.

Auditorium answered 2/6, 2017 at 12:49 Comment(1)

Note that on macOS 10.11 and later, changing anything underneath /System requires disabling System Integrity Protection (Apple Docs); see e.g. here for how to disable it. Be careful! – Atherosclerosis 20/2, 2018 at 11:0

According to Apple's developer website, logging behavior has changed in macOS 10.12 and up:

Important:

Unified logging is available in iOS 10.0 and later, macOS 10.12 and later, tvOS 10.0 and later, and watchOS 3.0 and later, and supersedes ASL (Apple System Logger) and the Syslog APIs. Historically, log messages were written to specific locations on disk, such as /etc/system.log. The unified logging system stores messages in memory and in a data store, rather than writing to text-based log files.

Unfortunately, unless someone comes up with a pretty clever way to extract the log entries from memory or this mysterious "data store", I think we're SOL :/

Cotter answered 20/2, 2018 at 3:29 Comment(1)

There's the standard CLI tool named "log" which cleverly shows the misterious log. – Machmeter 3/2 at 4:38

There is some sshd log in

/var/log/system.log

for example

Apr 26 19:00:11 mac-de-mamie com.apple.xpc.launchd[1] (com.openssh.sshd.7AAF2A76-3475-4D2A-9EEC-B9624143F2C2[535]): Service exited with abnormal code: 1

Not very instructive. I doubt if more can be obtained. LogLevel VERBOSE and LogLevel DEBUG3 in sshd_config do not help.

According to man sshd_config : "Logging with a DEBUG level violates the privacy of users and is not recommended."

By the way, I relaunched sshd not with launchctl but with System preference Sharing, ticking Remote login.

There, I noticed the option : Allow access for ...

I suspect this settings to be OUTSIDE /etc/ssh/sshd_config (easy to check but I have no time).

Beware that Mac OS X is not Unix : Apple developpers can do many strange things behind the scene without any care for us command line users.

Homocyclic answered 26/4, 2017 at 17:34 Comment(0)

Important:

Recommended topics

Hot tags