Dropbear is a popular SSH (secure shell) package that is widely used by routers. Most people are familiar with OpenSSH, but the majority of routers, including OpenWRT and Unifi (from Ubiquiti) use Dropbear instead. To get access to the dropbear logs, you have to configure your router to export the logs to an external location. For example, on Unifi, you have to go to Settings->Remote Syslog.
Dropbear is a very lightweight package with a very simple log format and variations. They log every connection, failed logins, successful logins and disconnections. The flow of a connection looks like:
May 18 13:24:20 eff12311,udm-18.104.22.16840 dropbear: Child connection from 127.0.0.1:35508
May 18 13:24:20 eff12311,udm-22.214.171.12440 dropbear: Pubkey auth succeeded for 'root' with key sha1!! 7b:50:93:10:68:07:d6:bb:9e:d3:6c:46:d9:1d:1b:f0:9e:e9:a9:86 from 127.0.0.1:35508
May 18 13:24:20 eff12311,udm-126.96.36.19940 dropbear: Exit (root): Disconnect received
The first line "Child connection from" show that a TCP connection to SSH has been completed. The second line "Pubkey auth succeeded" for that the login worked - using SSH public keys. And the third line "Disconnect received" that the SSH session was closed. If the user logged in with a password instead, you would see "Password auth succeeded" instead.
On a failure, you see a log similar to this:
May 18 14:29:02 eff12311,udm-188.8.131.5240 dropbear: Bad password attempt for 'root' from 192.168.1.6:48629
Which is pretty descriptive (Bad password attempt). And those are the main logs from Dropbear that was have noticed so far. Did we miss anything? Any more logs we should add?