SSH Server Logs
Overview
Section titled “Overview”Evidence: SSH Server Logs
Description: Collect SSH Server Logs
Category: Applications
Platform: linux
Short Name: sshl
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes
Background
Section titled “Background”SSH server logs on Linux record all SSH connection attempts, successful logins, authentication failures, and session activities. These logs are found in auth.log (Debian) or secure (Red Hat) and are critical for investigating remote access.
Data Collected
Section titled “Data Collected”This collector gathers structured data about ssh server logs.
Collection Method
Section titled “Collection Method”This collector gathers SSH-related logs from /var/log/auth*, which contains SSH daemon (sshd) authentication events and session information.
Forensic Value
Section titled “Forensic Value”SSH logs are critical for investigating unauthorized remote access, brute force attacks, SSH key compromises, lateral movement, and attacker activities. They provide IP addresses, usernames, authentication methods, and session timing.