Adding OpenSSH server logs to Splunk

By default, in most Linux distros, OpenVPN log output goes to the authlog, which is usually at /var/log/auth.log, as such it is trivial to add them to Splunk monitoring:

sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/auth.log -index main -sourcetype OpenSSH

Splunk (manual):
sudo vi /opt/splunkforwarder/etc/apps/search/local/inputs.conf

disabled = false
index = main
sourcetype = OpenSSH


Install OpenSSH Server on Ubuntu

I’ve discussed the use of SSH in several posts in the past, but while recently building a new environment, I realized that I’ve never indicated how the service itself should be installed.


sudo apt-get install openssh-server

If you desire to change any of the default configuration such as port or cyphers…

sudo vi /etc/ssh/ssh_config

NOTE: If you intend to access the server from the Internet, you will have to verify that port forwarding is enabled on your routers and firewalls.