Viewing log details

When you click on any log entry in your SSHwatch dashboard, you'll see detailed information about that specific SSH event. This guide explains how to interpret these details and use them to maintain your server's security.

Basic Information Section

Timestamp

• Shows exactly when the login attempt occurred
• Displayed in your local timezone
• Helps track patterns of activity

Server Hostname

• Identifies which of your servers was accessed
• Shows the full server hostname
• Useful for systems with multiple servers

Username

• Shows which account was targeted
• Important for tracking unauthorized access attempts
• Helps identify compromised accounts

Connection Details

IP Address Information

• Shows the source IP of the connection attempt
• Includes geographic location on an interactive map
• Displays:
  • Country
  • City (when available)
  • ISP information
  • Connection type

Port Information

• Shows which port was used for the attempt
• Standard SSH port is 22
• Non-standard ports may indicate configuration changes or scanning attempts

Success Status

• Indicates whether the login attempt succeeded
• Provides context for security assessment
• Helps identify brute force attacks

Security Assessment

Threat Rating

• HIGH_RISK: Immediate attention required
• MEDIUM_RISK: Should be investigated
• LOW_RISK: Normal activity

Risk Score

• Numerical value from 0-100
• Higher scores indicate greater risk
• Based on multiple factors:
  • IP reputation
  • Login success/failure
  • Username targeted
  • Geographic location
  • Historical activity

Risk Reasons

• Lists specific factors contributing to risk score
• May include:
  • Known malicious IP
  • Multiple failed attempts
  • Unusual login times
  • Geographic anomalies
  • Suspicious usernames