SSH Server Logs

Overview

Evidence: SSH Server Logs Description: Collect SSH Server Logs Category: Applications Platform: linux Short Name: sshl Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Background

SSH server logs on Linux record all SSH connection attempts, successful logins, authentication failures, and session activities. These logs are found in auth.log (Debian) or secure (Red Hat) and are critical for investigating remote access.

Data Collected

This collector gathers structured data about ssh server logs.

Collection Method

This collector gathers SSH-related logs from /var/log/auth*, which contains SSH daemon (sshd) authentication events and session information.

Forensic Value

SSH logs are critical for investigating unauthorized remote access, brute force attacks, SSH key compromises, lateral movement, and attacker activities. They provide IP addresses, usernames, authentication methods, and session timing.