This is a sample sanitized log output from an extended logging enabled SSHD server. Since privlege seperation caused multiple SSHD instances to be spawned for each connection the remote IP and port information is displayed in each log line. This should allow for machine parsable tracking of single connections over multiple SSHD instantiaations. The typical format of the extended logs is as follows:

SSH: Server;Ltype: Log data type; Remote: RemoteIP-RemotePort;Log data name: Log data value

There are four log data types.

  • Version: Contains the protocol level and client version information
  • Kex: Key Exchange result information including the encryption (Enc:) used, MAC (MAC:) used, and compression (Comp:) used
  • Authname: The remote user name
  • Throughput: Contains the amount of data seen on the STDOUT and STDIN of the server, duraction of the connection, and average throughput in both directions in bytes per second.
     Nov 15 14:55:18 delta sshd[30262]: Server listening on 0.0.0.0 port 22221. Nov 15 14:55:33 delta sshd[30265]: SSH: Server;Ltype: Version;Remote: 130.59.1.1-49913;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn12v19 Nov 15 14:55:34 delta sshd[30268]: SSH: Server;Ltype: Kex;Remote: 130.59.1.1-49913;Enc: aes128-cbc;MAC: hmac-md5;Comp: none Nov 15 19:55:34 delta sshd[30268]: SSH: Server;Ltype: Authname;Remote: 130.59.1.1-49913;Name: rapier Nov 15 14:55:35 delta sshd[30265]: Accepted publickey for rapier from 130.59.1.1 port 49913 ssh2 Nov 15 14:55:53 delta sshd[30269]: SSH: Server;LType: Throughput;Remote: 130.59.1.1-49913;IN: 84608;OUT: 205357344;Duration: 17.7;tPut_in: 4790.9;tPut_out:  11628400 .6 Nov 15 15:11:12 delta sshd[30320]: SSH: Server;Ltype: Version;Remote: 130.59.1.1-38262;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn12v19 Nov 15 15:11:12 delta sshd[30323]: SSH: Server;Ltype: Kex;Remote: 130.59.1.1-38262;Enc: aes128-cbc;MAC: hmac-md5;Comp: none Nov 15 20:11:13 delta sshd[30323]: SSH: Server;Ltype: Authname;Remote: 130.59.1.1-38262;Name: rapier Nov 15 15:11:14 delta sshd[30320]: Accepted publickey for rapier from 130.59.1.1 port 38262 ssh2 Nov 15 15:11:31 delta sshd[30324]: SSH: Server;LType: Throughput;Remote: 130.59.1.1-38262;IN: 84704;OUT: 205362048;Duration: 17.1;tPut_in: 4954.2;tPut_out:  12011361 .8 Nov 15 15:12:29 delta sshd[30393]: SSH: Server;Ltype: Version;Remote: 130.59.1.1-38265;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn12v19 Nov 15 15:12:29 delta sshd[30396]: SSH: Server;Ltype: Kex;Remote: 130.59.1.1-38265;Enc: aes128-cbc;MAC: hmac-md5;Comp: none Nov 15 20:12:30 delta sshd[30396]: SSH: Server;Ltype: Authname;Remote: 130.59.1.1-38265;Name: rapier Nov 15 15:12:30 delta sshd[30393]: Accepted publickey for rapier from 130.59.1.1 port 38265 ssh2 Nov 15 15:12:42 delta sshd[30397]: SSH: Server;LType: Throughput;Remote: 130.59.1.1-38265;IN: 4752;OUT: 1824;Duration: 12.0;tPut_in: 396.8;tPut_out: 152.3 Nov 15 15:13:00 delta sshd[30443]: SSH: Server;Ltype: Version;Remote: 130.59.1.1-38266;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn12v19 Nov 15 15:13:00 delta sshd[30446]: SSH: Server;Ltype: Kex;Remote: 130.59.1.1-38266;Enc: arcfour;MAC: hmac-md5;Comp: none Nov 15 20:13:00 delta sshd[30446]: SSH: Server;Ltype: Authname;Remote: 130.59.1.1-38266;Name: rapier Nov 15 15:13:01 delta sshd[30443]: Accepted publickey for rapier from 130.59.1.1 port 38266 ssh2 Nov 15 15:13:05 delta sshd[30447]: SSH: Server;LType: Throughput;Remote: 130.59.1.1-38266;IN: 3440;OUT: 776;Duration: 4.5;tPut_in: 768.4;tPut_out: 173.3