Documentation Index

Fetch the complete documentation index at: https://docs.hunters.ai/llms.txt

Use this file to discover all available pages before exploring further.

📢 Read the latest Release Notes to learn what's new on Hunters! 💡

RHEL

Prev Next

TL;DR

Supported data types

3rd party

detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

RHEL Secure Logs

rhel_secure_logs

Nested-Json-Text

S3


Overview

Red Hat Enterprise Linux (RHEL) is a premier commercial Linux distribution developed by Red Hat for IT organizations and enterprises. It provides a highly stable, secure, and production-ready operating system foundation optimized for hybrid cloud, edge environments, and modern container-native deployments.

RHEL powers modern IT infrastructures by streamlining operations and eliminating the friction between development and deployment. It is widely chosen for several core capabilities:

  • Predictable Lifecycle: Each major release offers up to 10 years of reliable long-term support

  • AI-Assisted Operations: Integrates native generative AI tools like Red Hat Lightspeed to lower the technical barrier for troubleshooting and system configuration.

  • Enterprise Security: Provides rigorous regulatory compliance and state-of-the-art protections against emerging threats, including built-in support for post-quantum cryptography.

  • Consistent Ecosystem: Upstream sources like Fedora Linux ensure constant innovation, while CentOS Stream acts as the reliable, rolling development branch.

  • Commercial Support: Businesses receive enterprise-grade patch management, access to a vast Red Hat Certification Program network, and 24/7 technical support.

Supported data types

RHEL Secure Logs

Overview:

RHEL Secure Logs (/var/log/secure) are security and authentication logs that record system access and administrative activities in Red Hat Enterprise Linux (RHEL). The file captures events such as successful and failed login attempts, SSH connections, sudo usage, PAM authentication messages, and other security-related system events. It serves as a primary audit source for monitoring user activity, detecting unauthorized access attempts, investigating security incidents, and troubleshooting authentication issues. In RHEL 7, 8, and 9, these events are also available through systemd-journald and can be queried using the journalctl command. Due to the sensitive nature of the information it contains, the /var/log/secure file should be protected with appropriate file permissions, regularly rotated using logrotate, and forwarded to a centralized logging or SIEM platform for security monitoring and compliance.


Table name: rhel_secure_logs


Send data to Hunters

Hunters supports the ingestion of RHEL Secure Logs via an intermediary AWS S3 bucket.

To connect RHEL Secure Logs:

  1. Export your logs from RHEL Secure Logs to an AWS S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in Key Value format:

{"version":"1.1","host":"host-01","short_message":"Jan 01 12:00:00 host-01 sshd-session[10001]: Accepted publickey for user_a from 10.0.0.1 port 52112 ssh2: ED25519 SHA256:PLACEHOLDER_FINGERPRINT","timestamp":1577836800,"level":5,"_tag":"secure:","_source":"secure:"}
{"version":"1.1","host":"host-01","short_message":"Jan 01 12:01:00 host-01 sudo[10002]:   user_a : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/bash","timestamp":1577836860,"level":5,"_tag":"secure:","_source":"secure:"}