On opening the auth.log file with Highlighter we see it contains 102165 lines. Not realistic for reading
the whole thing, so let’s get rid of the lines we don’t want to see.
We accomplish this by glancing over the file, scrolling from top to bottom and noting any lines which
are frequent and useless at the same time. For example, we would be interested statistically in what
usernames were attempted to login to ssh, but if they were invalid they pose no interest to us. So we
could search for “Invalid user“, select the 2 words, right-click and select “Remove” which would
remove all lines containing them. This removes roughly 13 000 lines, or more than 10%. We can do the
same for “Failed password for invalid user“, ” authentication failure”, (so far 50% of the log file has
been filtered out), “user unknown”, “check pass; user unknow”, “Failed password for root from“,
” Failed password for”, ” session closed for user” (because we might not be interested in logouts as
much as in logins, right?). Even so, we see a line containing “session opened for user root” – and we
might be more interested in “Accepted password”, instead – so we remove even the session opened
lines.
One more string to remove is “POSSIBLE BREAK-IN ATTEMPT!” – this alert sounds scary but is not
very helpful in identifying actual breaches, unless we see a successful login attempt from the same IP
later on (which is a part of a deeper statistical analysis).
2. We are left with a whopping 1747 lines!
All that in just a few seconds of filtering. Neat, especially knowing that we can reclaim any lines
removed from the GUI (right click, Line operations – reclaim lines previously removed).
The remaining line allow us to build a timeline of events and the commands used to compromise the
server and answer all questions in the challenge above.
That is with just one function of Highlighter – “Remove”! Let’s not forget we can highlight different
things with different colors to make our analysis easier: