Forensics for Blue team

SSH auth.log

Look for auth logs cat /var/log/auth.log which will show the SSH logins into server. If you use public/private keys, then you will know which key (so who) logged into a "shared" account (like root).

Screenshot of SSH infos
Using public/private key from auth.log, you know who logged in

Data sources