Evidence: SSH Server Logs
Description: Collect SSH Server Logs
Category: Applications
Platform: linux
Short Name: sshl
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes
Background
SSH server logs on Linux record all SSH connection attempts, successful logins, authentication failures, and session activities. These logs are found in auth.log (Debian) or secure (Red Hat) and are critical for investigating remote access.
Data Collected
This collector gathers structured data about ssh server logs.
Collection Method
This collector gathers SSH-related logs from /var/log/auth*, which contains SSH daemon (sshd) authentication events and session information.
Forensic Value
SSH logs are critical for investigating unauthorized remote access, brute force attacks, SSH key compromises, lateral movement, and attacker activities. They provide IP addresses, usernames, authentication methods, and session timing.
