SSH Server Logs
Overview
Section titled “Overview”Evidence: SSH Server Logs
Description: Collect SSH Server Logs
Category: Applications
Platform: aix
Short Name: sshl
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes
Background
Section titled “Background”SSH server logs on AIX are recorded through the AIX audit subsystem in /audit. These logs capture SSH connection attempts, authentication events, successful logins, and session activities specific to AIX’s OpenSSH implementation.
Data Collected
Section titled “Data Collected”This collector gathers structured data about ssh server logs.
Collection Method
Section titled “Collection Method”This collector gathers SSH-related audit logs from /audit/*, which contains AIX audit records including SSH daemon authentication and session events.
Forensic Value
Section titled “Forensic Value”SSH logs on AIX are essential for investigating unauthorized remote access, brute force attacks, SSH key compromises, and lateral movement on AIX systems. They provide IP addresses, usernames, and authentication methods critical for security investigations.
Artifact collector for AIX. Locations: /audit/*