- /var/log/secure
- ===============
- # Accepted SSH logins
- cat /var/log/secure* | grep 'Accepted' | awk '{print $1 " " $2 " " $3 " User: " $9 " " }'
- cat /var/log/secure* | sort | grep 'Accepted' | awk '{print $1 " " $2 " " $3 " User: " $9 " IP:" $11 }'
- # sudo
- cat /var/log/secure* | grep 'session opened for user root' | awk '{print $1 " " $2 " " $3 " Sudo User: " $13 " " }'
- # SSH login attempts from non-existing and unauthorized user accounts
- cat /var/log/secure* | grep 'Invalid user'
- # unauthorized ssh accounts
- cat /var/log/secure* | grep 'invalid user'
- # authorized SSH accounts with failed password
- cat /var/log/secure* | grep -v invalid | grep 'Failed password'
- # successful SSH logins by root
- cat /var/log/secure* | grep 'Accepted password for root'
- # unauthorized ssh accounts with failed password
- cat /var/log/secure* | grep 'Failed password for invalid user'
- # refused ssh login attempts
- cat /var/log/secure* | grep 'refused'
- # Password changes
- cat /var/log/secure* | grep 'password changed'
- # New users/groups created
- cat /var/log/secure* | grep 'new group\|new user'
- # Deleted users/groups
- cat /var/log/secure* | grep ssh | grep 'deleted user\|removed group'
- # Has the home folder changed for any user?
- cat /var/log/secure | grep change | grep 'home from'
- # all authentication failures
- cat /var/log/secure | grep 'authentication failure'
- References
- ==========
- * http://vertito.blogspot.com/2007/08/ssh-log-parsing-and-monitoring.html
Don't like ads? PRO users don't see any ads ;-)
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
create a new version of this paste
RAW Paste Data