infra-run/scripts/python/auth-log-audit/examples/sample-auth-report.md

# Auth Log Audit

- Overall status: WARNING
- First seen: May 11 09:58:12
- Last seen: May 11 10:07:48

## Top Source IPs by Failed Attempts

| Value | Count |
| --- | ---: |
| 203.0.113.50 | 7 |
| 198.51.100.23 | 1 |

## Top Usernames by Failed Attempts

| Value | Count |
| --- | ---: |
| appuser | 3 |
| root | 2 |
| admin | 1 |
| backup | 1 |

## Top Source IPs by Successful Logins

| Value | Count |
| --- | ---: |
| 10.20.30.15 | 1 |

## Top Usernames by Successful Logins

| Value | Count |
| --- | ---: |
| deploy | 1 |

## Suspicious Source IPs

| Value | Count |
| --- | ---: |
| 203.0.113.50 | 7 |

## Suspicious Usernames

No entries detected.

## Top Event Types

| Value | Count |
| --- | ---: |
| failed_ssh_password | 4 |
| root_login_attempt | 2 |
| successful_ssh_login | 1 |
| sudo_command | 1 |
| invalid_user_attempt | 1 |
| disconnect_after_failed_auth | 1 |
| failed_ssh_publickey | 1 |
| sudo_auth_failure | 1 |
| su_session_opened | 1 |
| refused_user_attempt | 1 |

## Sample Log Lines

### failed_login

```text
May 11 10:01:44 web01 sshd[1220]: Failed password for invalid user admin from 203.0.113.50 port 45001 ssh2
May 11 10:02:03 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
May 11 10:02:06 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
```

### invalid_user

```text
May 11 10:01:46 web01 sshd[1220]: Invalid user admin from 203.0.113.50 port 45001
```

### root_login_attempt

```text
May 11 10:02:03 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
May 11 10:02:06 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
```

### sudo_failure

```text
May 11 10:04:20 web01 sudo: pam_unix(sudo:auth): authentication failure; logname=deploy uid=1001 euid=0 tty=/dev/pts/0 ruser=deploy rhost= user=deploy
```

### suspicious_source_ip

```text
May 11 10:01:44 web01 sshd[1220]: Failed password for invalid user admin from 203.0.113.50 port 45001 ssh2
May 11 10:01:46 web01 sshd[1220]: Invalid user admin from 203.0.113.50 port 45001
May 11 10:02:03 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
```

## Operational Summary

- Overall status: WARNING
- Total lines scanned: 15
- Authentication events detected: 15
- Failed logins: 8
- Successful logins: 1
- Invalid user attempts: 1
- Root login attempts: 2
- Sudo usage events: 1
- Sudo authentication failures: 1
- su events: 1
- Suspicious source IPs: 1
- Suspicious usernames: 0
- Threshold used: 5
- Ignored users: None
Add authentication log audit tool 2026-05-11 17:04:48 +00:00			`# Auth Log Audit`

			`- Overall status: WARNING`
			`- First seen: May 11 09:58:12`
			`- Last seen: May 11 10:07:48`

			`## Top Source IPs by Failed Attempts`

			`\| Value \| Count \|`
			`\| --- \| ---: \|`
			`\| 203.0.113.50 \| 7 \|`
			`\| 198.51.100.23 \| 1 \|`

			`## Top Usernames by Failed Attempts`

			`\| Value \| Count \|`
			`\| --- \| ---: \|`
			`\| appuser \| 3 \|`
			`\| root \| 2 \|`
			`\| admin \| 1 \|`
			`\| backup \| 1 \|`

			`## Top Source IPs by Successful Logins`

			`\| Value \| Count \|`
			`\| --- \| ---: \|`
			`\| 10.20.30.15 \| 1 \|`

			`## Top Usernames by Successful Logins`

			`\| Value \| Count \|`
			`\| --- \| ---: \|`
			`\| deploy \| 1 \|`

			`## Suspicious Source IPs`

			`\| Value \| Count \|`
			`\| --- \| ---: \|`
			`\| 203.0.113.50 \| 7 \|`

			`## Suspicious Usernames`

			`No entries detected.`

			`## Top Event Types`

			`\| Value \| Count \|`
			`\| --- \| ---: \|`
			`\| failed_ssh_password \| 4 \|`
			`\| root_login_attempt \| 2 \|`
			`\| successful_ssh_login \| 1 \|`
			`\| sudo_command \| 1 \|`
			`\| invalid_user_attempt \| 1 \|`
			`\| disconnect_after_failed_auth \| 1 \|`
			`\| failed_ssh_publickey \| 1 \|`
			`\| sudo_auth_failure \| 1 \|`
			`\| su_session_opened \| 1 \|`
			`\| refused_user_attempt \| 1 \|`

			`## Sample Log Lines`

			`### failed_login`

			```text
			`May 11 10:01:44 web01 sshd[1220]: Failed password for invalid user admin from 203.0.113.50 port 45001 ssh2`
			`May 11 10:02:03 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2`
			`May 11 10:02:06 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2`
			```

			`### invalid_user`

			```text
			`May 11 10:01:46 web01 sshd[1220]: Invalid user admin from 203.0.113.50 port 45001`
			```

			`### root_login_attempt`

			```text
			`May 11 10:02:03 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2`
			`May 11 10:02:06 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2`
			```

			`### sudo_failure`

			```text
			`May 11 10:04:20 web01 sudo: pam_unix(sudo:auth): authentication failure; logname=deploy uid=1001 euid=0 tty=/dev/pts/0 ruser=deploy rhost= user=deploy`
			```

			`### suspicious_source_ip`

			```text
			`May 11 10:01:44 web01 sshd[1220]: Failed password for invalid user admin from 203.0.113.50 port 45001 ssh2`
			`May 11 10:01:46 web01 sshd[1220]: Invalid user admin from 203.0.113.50 port 45001`
			`May 11 10:02:03 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2`
			```

			`## Operational Summary`

			`- Overall status: WARNING`
			`- Total lines scanned: 15`
			`- Authentication events detected: 15`
			`- Failed logins: 8`
			`- Successful logins: 1`
			`- Invalid user attempts: 1`
			`- Root login attempts: 2`
			`- Sudo usage events: 1`
			`- Sudo authentication failures: 1`
			`- su events: 1`
			`- Suspicious source IPs: 1`
			`- Suspicious usernames: 0`
			`- Threshold used: 5`
			`- Ignored users: None`