How to audit logins to SSH on Cygwin on Windows?

Document ID : KB000013357
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

Running sshd on Cygwin installed on Windows.

How is it possible to audit the logins in seaudit?

Answer:

There is no LOGINAPPL on windows and TERMINAL on windows only applies to RDP, so it is difficult to audit the SSH logins.

The TCP class can be used to determine the ip address or host name of the client the user logged in from. 

The user can be determined from a LOGIN event created via lsass.exe, e.g (where <server> is the endpoint and <user> is the user): 

30 Jan 2017 08:48:04 P LOGIN <user> 59 2 <server> C:\Windows\System32\lsass.exe