Before, we can track all the SSH logins either success/failure in OS X El Capitan. When moved to OS Sierra, It seems that all the logs were moved which can be viewed by log show, log stream, and syslog. We can't track the source IP of an SSH process by looking those logs. e.g. :
Jun 27 15:38:47 MAC sshd: administrator [priv][240] <Notice>: USER_PROCESS: 243 ttys000
Jun 27 15:39:34 MAC sshd: administrator [priv][249] <Notice>: USER_PROCESS: 257 ttys001
Jun 27 15:42:50 MAC sshd: administrator [priv][249] <Notice>: DEAD_PROCESS: 257 ttys001
Screen sharing logs works perfectly just like before:
screensharingd: Authentication: SUCCEEDED :: User Name: administrator :: Viewer Address: 10.X.X.X :: Type: DH
Though we can see the logs of sshd if the attempt failed:
sshd: error: PAM: authentication error for administrator from 10.10.5.73
Any help will be greatly appreciated.
Thank you very much.
Try with this command:
log stream --info --predicate 'processImagePath contains[c] "sshd"'
It will log the successful and failed attempts.