# SSH Server Logs

## Overview

**Evidence:** SSH Server Logs\
**Description:** Collect SSH Server Logs\
**Category:** Applications\
**Platform:** linux\
**Short Name:** sshl\
**Is Parsed:** No\
**Sent to Investigation Hub:** No\
**Collect File(s):** Yes

## Background

SSH server logs on Linux record all SSH connection attempts, successful logins, authentication failures, and session activities. These logs are found in auth.log (Debian) or secure (Red Hat) and are critical for investigating remote access.

## Data Collected

This collector gathers structured data about ssh server logs.

## Collection Method

This collector gathers SSH-related logs from /var/log/auth\*, which contains SSH daemon (sshd) authentication events and session information.

## Forensic Value

SSH logs are critical for investigating unauthorized remote access, brute force attacks, SSH key compromises, lateral movement, and attacker activities. They provide IP addresses, usernames, authentication methods, and session timing.