Auth.log

Auth.log is mostly used for brute force analysis, but we can use this to analyse privilege escalation and persistence etc

Whenever a user attempts to log in, switch users, or perform any task that requires authentication, an entry is made in this log file. This includes activities involving sshd (SSH daemon), sudo actions, and cron jobs requiring authentication.

auth.log file is present in /var directory which keeps record of ssh login tries.

LogoHack The Boxapp.hackthebox.com
sample sherlock brutus

wtmp file tracks session in linux. The file is available in /var/log. You can view the contents by this command.

PreviousLinux ForensicsNextEssential Tools

Last updated