drop auth.log or secure · ssh logins · sudo usage · brute force detection · privilege escalation · timeline · runs locally
settings
Timestamps lack years — rollover heuristic stitches December → January. SSH → sudo/su chains within five minutes of the same operator account surface here. Brute-force clusters need ten failures from one IP inside five minutes.
load logs
Drop auth.log / secure
folder supported
drop auth.log, secure, or folder