Cybersecurity

AuthLogParser: Open-source tool for analyzing Linux authentication logs – Help Net Security

AuthLogParser is an open-source tool tailored for digital forensics and incident response, specifically crafted to analyze Linux authentication logs (auth.log).

The tool examines the auth.log file, extracting crucial details like SSH logins, user creations, event names, IP addresses, among others. It produces a concise summary that offers a clear overview of the activities documented in the authentication logs, presenting the information in a format that is easy to read.

AuthLogParser

AuthLogParser features

“AuthLogParser’s distinctiveness lies in its ability to transform the intricate landscape of Linux authentication logs into a streamlined investigative powerhouse. It distills the complexity of security incidents recorded in the auth.log into a finely crafted summary report, offering an overview,” Eilay Yosfan, the creator of the tool and Threat Researcher at Security Joes, told Help Net Security.

“The tool’s knack for granular event analysis, ranging from SSH logins to user activities, elevates it beyond generic log analyzers. Its customizable tables and adaptive design make deciphering security events on Linux platforms a seamless experience.”

Here’s a list of features that AuthLogParser can analyze:

Summary report features

  • Hostname
  • Line Count
  • Log Size
  • Start Time
  • End Time
  • Duration

Statistics table

  • Event Names Table
  • IP Addresses Table
  • Failed SSH Table
  • Not Found Elements Table

Users groups activity events

  • Successful SSH Password Authentication
  • Successful SSH Public key Authentication
  • New User Creation Activity
  • User Deletion Activity
  • User Password Change Activity
  • New Group Creation Activity
  • Group Deletion Activity
  • User Added To A Group Activity
  • User Removed From A Group Activity
  • Session Opened For User root

General activity events

  • Machine Shutdown By Power Button

Future plans

In forthcoming iterations, the creator wants to elevate AuthLogParser beyond its initial success as a proof of concept.

“Through the tool’s positive reception, the focus has shifted towards creating a more comprehensive solution. Future versions will focus on auth.log log files and extend compatibility to encompass various log formats encountered in digital forensics. Valuable user feedback will guide this process, driving the refinement of existing features and the incorporation of new ones. Regular updates are on the horizon to stay proactive in addressing emerging cybersecurity challenges. And who knows, with its expanding capabilities, a new name might be in the cards – after all, the tool is no longer confined to analyzing just auth.log files,” concludes Yosfan.

AuthLogParser is available for free on GitHub.

More open-source tools to consider: