`authlog`¶

$ target-query <path/to/target> -f authlog

Details¶
Module	`dissect.target.plugins.os.unix.log.auth.AuthPlugin`
Output	`records`

Module documentation

Unix authentication log plugin.

Function documentation

Yield contents of /var/log/auth.log* and /var/log/secure* files.

Order of returned events is not guaranteed to be chronological because of year rollover detection efforts for log files without a year in the timestamp.

The following timestamp formats are recognised automatically. This plugin assumes that no custom date_format template is set in syslog-ng or systemd configuration (defaults to M d H:M:S).

ISO formatted authlog entries are parsed as can be found in Ubuntu 24.04 and later.

CentOS format: Jan 12 13:37:00 hostname daemon: message
Debian format: Jan 12 13:37:00 hostname daemon[pid]: pam_unix(daemon:session): message
Ubuntu  24.04: 2024-01-12T13:37:00.000000+02:00 hostname daemon[pid]: pam_unix(daemon:session): message

Resources:

https://help.ubuntu.com/community/LinuxLogFiles

authlog¶

`authlog`¶