# Auth Logs

## Overview

**Evidence:** Auth Logs\
**Description:** Collect Auth Logs\
**Category:** System\
**Platform:** linux\
**Short Name:** authl\
**Is Parsed:** No\
**Sent to Investigation Hub:** No\
**Collect File(s):** Yes

## Background

Linux auth logs record all authentication-related events including user logins, sudo commands, SSH access attempts, su commands, and PAM (Pluggable Authentication Modules) activities. Found primarily on Debian-based systems.

## Data Collected

This collector gathers structured data about auth logs.

## Collection Method

This collector gathers auth log files from /var/log/auth\*, including rotated logs, which contain detailed authentication and authorization events.

## Forensic Value

Auth logs are critical for investigating unauthorized access, privilege escalation, brute force attacks, SSH intrusions, and user activity. They provide essential evidence for security incident investigations and compliance auditing.