TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
RHEL Secure Logs | ✅ | ✅ | ✅ | rhel_secure_logs | Nested-Json-Text | S3 |
Overview
Red Hat Enterprise Linux (RHEL) is a premier commercial Linux distribution developed by Red Hat for IT organizations and enterprises.
It provides a highly stable, secure, and production-ready operating system foundation optimized for hybrid cloud, edge environments, and modern container-native deployments.
RHEL powers modern IT infrastructures by streamlining operations and eliminating the friction between development and deployment. It is widely chosen for several core capabilities:
Predictable Lifecycle: Each major release offers up to 10 years of reliable long-term support
AI-Assisted Operations: Integrates native generative AI tools like Red Hat Lightspeed to lower the technical barrier for troubleshooting and system configuration.
Enterprise Security: Provides rigorous regulatory compliance and state-of-the-art protections against emerging threats, including built-in support for post-quantum cryptography.
Consistent Ecosystem: Upstream sources like Fedora Linux ensure constant innovation, while CentOS Stream acts as the reliable, rolling development branch.
Commercial Support: Businesses receive enterprise-grade patch management, access to a vast Red Hat Certification Program network, and 24/7 technical support.
Supported data types
RHEL Secure Logs
Overview:
RHEL Secure Logs (/var/log/secure) are security and authentication logs that record system access and administrative activities in Red Hat Enterprise Linux (RHEL). The file captures events such as successful and failed login attempts, SSH connections, sudo usage, PAM authentication messages, and other security-related system events. It serves as a primary audit source for monitoring user activity, detecting unauthorized access attempts, investigating security incidents, and troubleshooting authentication issues. In RHEL 7, 8, and 9, these events are also available through systemd-journald and can be queried using the journalctl command. Due to the sensitive nature of the information it contains, the /var/log/secure file should be protected with appropriate file permissions, regularly rotated using logrotate, and forwarded to a centralized logging or SIEM platform for security monitoring and compliance.
Table name: rhel_secure_logs
Send data to Hunters
Hunters supports the ingestion of RHEL Secure Logs via an intermediary AWS S3 bucket.
To connect RHEL Secure Logs:
Export your logs from RHEL Secure Logs to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in Key Value format:
{"version":"1.1","host":"host-01","short_message":"Jan 01 12:00:00 host-01 sshd-session[10001]: Accepted publickey for user_a from 10.0.0.1 port 52112 ssh2: ED25519 SHA256:PLACEHOLDER_FINGERPRINT","timestamp":1577836800,"level":5,"_tag":"secure:","_source":"secure:"}
{"version":"1.1","host":"host-01","short_message":"Jan 01 12:01:00 host-01 sudo[10002]: user_a : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/bash","timestamp":1577836860,"level":5,"_tag":"secure:","_source":"secure:"}