SSH Server Logs

Overview

Evidence: SSH Server Logs Description: Collect SSH Server Logs Category: Applications Platform: aix Short Name: sshl Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Background

SSH server logs on AIX are recorded through the AIX audit subsystem in /audit. These logs capture SSH connection attempts, authentication events, successful logins, and session activities specific to AIX's OpenSSH implementation.

Data Collected

This collector gathers structured data about ssh server logs.

Collection Method

This collector gathers SSH-related audit logs from /audit/*, which contains AIX audit records including SSH daemon authentication and session events.

Forensic Value

SSH logs on AIX are essential for investigating unauthorized remote access, brute force attacks, SSH key compromises, and lateral movement on AIX systems. They provide IP addresses, usernames, and authentication methods critical for security investigations.

Notes

Artifact collector for AIX. Locations: /audit/*