AuthLogParser: analyzing Linux authentication logs

analyzing Linux authentication logs

AuthLogParser

AuthLogParser is a powerful Digital Forensics and Incident Response tool designed specifically for analyzing Linux authentication logs, commonly known as auth.log. This tool serves as an invaluable asset for Incident Responders, streamlining the process of investigating security incidents on Linux systems. AuthLogParser meticulously scans the auth.log log file, extracting key information such as SSH logins, user creations, event names, IP addresses, and more. The generated summary provides a clear and concise overview of the activities recorded in the authentication logs, presenting the data in an easily readable format. By enhancing efficiency and accessibility, AuthLogParser significantly contributes to the effectiveness of incident response efforts, enabling practitioners to quickly and comprehensively assess security events on Linux platforms. While it proves indispensable for Incident Responders, its utility extends beyond DFIR teams, making it a valuable asset for the entire InfoSec and IT community.

What The Tool Can Do?

Below is a comprehensive list of features that AuthLogParser can analyze:

Summary Report features

  • Hostname
  • Line Count
  • Log Size
  • Start Time
  • End Time
  • Duration

Statistics Table

  • Event Names Table
  • IP Addresses Table
  • Failed SSH Table
  • Not Found Elements Table

Users Groups Activity Events

  • Successful SSH Password Authentication
  • Successful SSH Public key Authentication
  • New User Creation Activity
  • User Deletion Activity
  • User Password Change Activity
  • New Group Creation Activity
  • Group Deletion Activity
  • User Added To A Group Activity
  • User Removed From A Group Activity
  • Session Opened For User root

General Activity Events

  • Machine Shutdown By Power Button

Install & Use

Copyright (c) 2023 Eilay Yosfan (DFIR)