mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6475f767875c778e5ab38584b56f617d5b594359
portfolio/infra-run/scripts/python/auth-log-audit/examples/sample-auth-report.md
T
Mateusz Suski 2da5e8b46c Add authentication log audit tool
2026-05-11 17:04:48 +00:00

2.5 KiB
Raw Blame History

Auth Log Audit

  • Overall status: WARNING
  • First seen: May 11 09:58:12
  • Last seen: May 11 10:07:48

Top Source IPs by Failed Attempts

Value Count
203.0.113.50 7
198.51.100.23 1

Top Usernames by Failed Attempts

Value Count
appuser 3
root 2
admin 1
backup 1

Top Source IPs by Successful Logins

Value Count
10.20.30.15 1

Top Usernames by Successful Logins

Value Count
deploy 1

Suspicious Source IPs

Value Count
203.0.113.50 7

Suspicious Usernames

No entries detected.

Top Event Types

Value Count
failed_ssh_password 4
root_login_attempt 2
successful_ssh_login 1
sudo_command 1
invalid_user_attempt 1
disconnect_after_failed_auth 1
failed_ssh_publickey 1
sudo_auth_failure 1
su_session_opened 1
refused_user_attempt 1

Sample Log Lines

failed_login

May 11 10:01:44 web01 sshd[1220]: Failed password for invalid user admin from 203.0.113.50 port 45001 ssh2
May 11 10:02:03 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
May 11 10:02:06 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2

invalid_user

May 11 10:01:46 web01 sshd[1220]: Invalid user admin from 203.0.113.50 port 45001

root_login_attempt

May 11 10:02:03 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2
May 11 10:02:06 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2

sudo_failure

May 11 10:04:20 web01 sudo: pam_unix(sudo:auth): authentication failure; logname=deploy uid=1001 euid=0 tty=/dev/pts/0 ruser=deploy rhost= user=deploy

suspicious_source_ip

May 11 10:01:44 web01 sshd[1220]: Failed password for invalid user admin from 203.0.113.50 port 45001 ssh2
May 11 10:01:46 web01 sshd[1220]: Invalid user admin from 203.0.113.50 port 45001
May 11 10:02:03 web01 sshd[1224]: Failed password for root from 203.0.113.50 port 45012 ssh2

Operational Summary

  • Overall status: WARNING
  • Total lines scanned: 15
  • Authentication events detected: 15
  • Failed logins: 8
  • Successful logins: 1
  • Invalid user attempts: 1
  • Root login attempts: 2
  • Sudo usage events: 1
  • Sudo authentication failures: 1
  • su events: 1
  • Suspicious source IPs: 1
  • Suspicious usernames: 0
  • Threshold used: 5
  • Ignored users: None
Reference in New Issue View Git Blame Copy Permalink