Auth Logs

Overview

Evidence: Auth Logs Description: Collect Auth Logs Category: System Platform: linux Short Name: authl Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Background

Linux auth logs record all authentication-related events including user logins, sudo commands, SSH access attempts, su commands, and PAM (Pluggable Authentication Modules) activities. Found primarily on Debian-based systems.

Data Collected

This collector gathers structured data about auth logs.

Collection Method

This collector gathers auth log files from /var/log/auth*, including rotated logs, which contain detailed authentication and authorization events.

Forensic Value

Auth logs are critical for investigating unauthorized access, privilege escalation, brute force attacks, SSH intrusions, and user activity. They provide essential evidence for security incident investigations and compliance auditing.