Ubuntu – create log file just for ssh

The answer to this lies in sshd.conf and sshd_config (server) and ssh_config (client). Depending on the log level it logs to /var/log/syslog (default) and/or /var/log/auth.log (loglevel 'verbose' contains ssh login attempts).

If present /var/log/secure also contains an access log.

You will need root/sudo access to edit any of these files: they will be word-readable but not world-editable.

Next to that. Besides the login from the ssh daemon the command last also shows (failed) logins from ssh. The information for this command comes from /var/log/wtmp (There will be several more I bet).

And there is also the probability the sysadmin installed auditd or logwatch making it practically impossible to hide activity since they could get a notice based on activity undoing the registration of the ssh activity impossible.

Example of /var/log/auth.log:

Aug 10 10:10:10 rinzwind sshd[3653]: Invalid user text from {ipadress}
Aug 10 10:10:10 rinzwind sshd[3653]: Excess permission or bad ownership on file /var/log/btmp
Aug 10 10:10:10 rinzwind sshd[3653]: error: Could not get shadow information for NOUSER
Aug 10 10:10:10 rinzwind sshd[3653]: Failed password for invalid user test from {ipadress} port {port} ssh2
Aug 10 10:10:10 rinzwind sshd[3653]: Excess permission or bad ownership on file /var/log/btmp

By default, the OpenSSH server logs to the AUTH facility of syslog, at the INFO level. If you want to record more information - such as failed login attempts - you should increase the logging level to VERBOSE.

It's recommended to log more information if you're curious about malicious SSH traffic.

To increase the level, find the following line in your sshd_config:

LogLevel INFO and change it to this:

LogLevel VERBOSE Now all the details of ssh login attempts will be saved in your /var/log/auth.log file.

More info at: https://help.ubuntu.com/community/SSH/OpenSSH/Configuring