Using key usage data for analytics

You can determine how keys are being used by analyzing the data collected by syslog or other central logging systems running on other servers in your network.

SSH key usage logs are transmitted to Trust Protection Platform by the Agents installed on machines that contain SSH logs.

If the SSH server only stores its logs locally, the same Agent can be used to collect key data and key usage log data.

For SSH servers sending logs to a central location, the agent needs to be installed on the central logging server machine. Optionally, you can set up your system to scan the Agentless SSH servers for key data by utilizing Agents on other SSH servers.

Once the SSH key logs are transmitted to Trust Protection Platform, they are correlated with the key inventory to provide visibility into key usage and can then be used to spot anomalies.

The SSH Key Usage Data report lists keys and provides the following information:

• Stale SSH keys
• Authorized keys that are accessed from unknown clients. Unknown clients are clients whose private keys are not tracked by Trust Protection Platform.
• Keys that are not tracked by Trust Protection Platform

The first step in collecting key usage data is to set up the collection process so that usage data can be collected and correlated with key data.