Auth Logs
Overview
Section titled “Overview”Evidence: Auth Logs
Description: Collect Auth Logs
Category: System
Platform: linux
Short Name: authl
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes
Background
Section titled “Background”Linux auth logs record all authentication-related events including user logins, sudo commands, SSH access attempts, su commands, and PAM (Pluggable Authentication Modules) activities. Found primarily on Debian-based systems.
Data Collected
Section titled “Data Collected”This collector gathers structured data about auth logs.
Collection Method
Section titled “Collection Method”This collector gathers auth log files from /var/log/auth*, including rotated logs, which contain detailed authentication and authorization events.
Forensic Value
Section titled “Forensic Value”Auth logs are critical for investigating unauthorized access, privilege escalation, brute force attacks, SSH intrusions, and user activity. They provide essential evidence for security incident investigations and compliance auditing.