Linux Log System
Overview
On a typical modern distro the key Linux logs live under /var/log, each covering a different slice of the system. From a security perspective you care most about auth, sudo, SSH, audit, kernel, cron, and general syslog/journal logs — plus how they're rotated, centralized, and protected at rest and in transit.
Systemd-based distros also keep a binary journal via journald (/var/log/journal/ or in-memory only); journalctl is your interface and it can mirror or replace classic text logs.
────────────────────────
Core /var/log Files and Purposes
Exact names vary by distro (Debian/Ubuntu vs RHEL/CentOS), but the purpose is the same.
| Log file | Purpose | Security use |
|---|---|---|
/var/log/syslog (Deb/Ub) · /var/log/messages (RHEL) |
General system messages: kernel, daemons, startup/shutdown, service restarts, device changes, errors | Reconstruct timeline, find persistence via services, detect crashes hinting at exploitation |
/var/log/auth.log (Deb/Ub) · /var/log/secure (RHEL) |
All authentication & authorization events: logins, sudo, SSH, PAM, privilege changes | Spot brute force, credential stuffing, suspicious sudo, lateral movement via SSH |
/var/log/kern.log |
Kernel messages: driver issues, hardware problems, some security-module output | Kernel panic/exploit traces, rootkit hints, abnormal module loads |
/var/log/dmesg |
Boot-time kernel messages, device detection (mirrors dmesg output) |
Early boot tampering, unusual hardware, kernel parameters at boot |
/var/log/cron |
Cron daemon activity: which jobs ran, when, by which user | Persistence via cron, suspicious jobs, crypto-miners or data-exfil tasks |
/var/log/faillog |
Failed login attempts per user (binary) | Quickly see targeted accounts, brute-force patterns |
/var/log/lastlog |
Last login time per user — read with lastlog |
Dormant accounts suddenly active, logins from odd IPs |
/var/log/btmp |
Failed logins (binary) — read with lastb |
Deeper failed-auth forensics; volumetric brute force |
/var/log/wtmp |
Successful logins/logouts, reboots (binary) — read with last |
Track sessions, correlate with other activity |
/var/log/utmp |
Currently logged-in users — read with who, w |
Identify active compromised sessions |
/var/log/dpkg.log · /var/log/yum.log |
Package manager history: installs, upgrades, removals | Detect tool drops, backdoored packages, AV/EDR removal |
/var/log/audit/audit.log |
Linux audit framework: syscalls, file access, policy violations (requires auditd) |
Fine-grained tracking of sensitive file access, privilege use, policy bypass |
/var/log/apache2/* · /var/log/httpd/* |
Web server access and error logs | RFI/LFI, SQLi, auth bypass, enumeration on the web surface |
/var/log/mysql/* · /var/log/mariadb/* |
Database logs: queries, errors, auth | DB brute force, dangerous queries, data exfil |
────────────────────────
Quick Recon Commands
# --- Text logs: live tail ---
tail -f /var/log/auth.log # SSH/sudo events (Debian/Ubuntu)
tail -f /var/log/secure # same on RHEL/CentOS
# --- journald: systemd journal ---
journalctl -f # follow everything
journalctl -u sshd --since "1 hour ago" # one unit, recent
journalctl -p err -b # errors this boot
journalctl _UID=0 --since today # all root activity today
# --- Binary logs ---
last -F # successful logins (wtmp)
lastb -F # failed logins (btmp) [needs root]
lastlog # last login per user
# --- Currently logged-in ---
who; w
# --- Audit log ---
ausearch -m USER_LOGIN -ts today # logins via auditd
aureport --auth --summary # auth summary report
────────────────────────
Auth Log: What to Look For
# --- Brute force / failed SSH ---
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn | head -20
# --- Successful logins after failures (compromise indicator) ---
grep "Accepted password" /var/log/auth.log
# --- Sudo usage ---
grep "sudo" /var/log/auth.log | grep -v "PAM"
# --- New user accounts created ---
grep "useradd\|adduser" /var/log/auth.log
# --- SSHD: accepted public key logins ---
grep "Accepted publickey" /var/log/auth.log
# --- Logins from IPs (extract unique sources) ---
grep "sshd" /var/log/auth.log | grep -oP 'from \K[\d.]+' | sort | uniq -c | sort -rn
────────────────────────
auditd: High-Value Rules
# /etc/audit/rules.d/hardening.rules
# Track privilege escalation
-a always,exit -F arch=b64 -S execve -F euid=0 -k root_cmd
# Watch sensitive files
-w /etc/passwd -p wa -k passwd_change
-w /etc/shadow -p wa -k shadow_change
-w /etc/sudoers -p wa -k sudoers_change
-w /etc/ssh/sshd_config -p wa -k sshd_config_change
# Watch log files themselves (detect tampering)
-w /var/log/auth.log -p wa -k log_tamper
-w /var/log/audit/ -p wa -k audit_tamper
# Cron modifications
-w /etc/crontab -p wa -k cron_change
-w /var/spool/cron/ -p wa -k cron_change
# Module loads (rootkit indicator)
-a always,exit -F arch=b64 -S init_module -S finit_module -k module_load
# Apply without reboot
auditctl -R /etc/audit/rules.d/hardening.rules
────────────────────────
Log Rotation: logrotate Basics
# Main config
/etc/logrotate.conf
/etc/logrotate.d/* # per-service overrides
# Typical stanza
/var/log/auth.log {
daily # rotate daily
rotate 14 # keep 14 rotated copies
compress # gzip old files
delaycompress # keep last rotation uncompressed
missingok # no error if file missing
notifempty # skip if empty
postrotate
/usr/lib/rsyslog/rsyslog-rotate # signal rsyslog
endscript
}
# Force rotation now (debug/test)
logrotate -f /etc/logrotate.d/rsyslog
# Show what would happen (dry-run)
logrotate -d /etc/logrotate.conf
────────────────────────
Attack Vectors Against Logs (Red Team)
Common techniques attackers use once they have elevated access:
| Technique | Command / Method | Defense |
|---|---|---|
| Wipe text log | echo '' > /var/log/auth.log |
Immutable flag (chattr +a), remote logging |
| Surgically remove lines | sed -i '/attacker-ip/d' /var/log/auth.log |
Hash-chain / forward-secure logging |
| Wipe binary logs | > /var/log/wtmp ; > /var/log/btmp |
Remote append-only SIEM |
| Journal vacuum | journalctl --vacuum-time=1s |
journald Storage=persistent + remote forward |
| Delete journal files | rm /var/log/journal/*/* |
Separate mount with restrictive ACLs |
| Rsyslog redirect | Modify /etc/rsyslog.conf to auth,authpriv.none |
File integrity monitoring (FIM) on configs |
| Log flooding | Spam syslog to trigger rotation/deletion, hide malicious line in noise | Rate-limiting in rsyslog/syslog-ng |
| MITM log stream | Intercept UDP/TCP syslog without TLS | Enforce TLS with mutual cert auth |
| Rotated archive deletion | rm /var/log/*.gz |
Off-box archival before deletion |
| Poison future logs | Proxy spoofs source IP/user-agent; debug mode leaks secrets | Log normalisation + SIEM parsing rules |
Key insight: On a hardened system most of the above requires root. Attackers either aim for low and slow with legit creds to avoid generating logs, or gain root first and then surgically clean up.
────────────────────────
Protecting Logs at Rest
# --- Immutable / append-only flags ---
chattr +a /var/log/auth.log # append-only: even root can't overwrite, only append
chattr +i /var/log/auth.log # fully immutable: nothing can modify/delete
lsattr /var/log/auth.log # verify flags
# --- Protect the log directory ---
chmod 640 /var/log/auth.log # root:adm only
chmod 750 /var/log/audit/
chown root:root /var/log/audit/audit.log
# --- LUKS encrypted /var partition (full disk) ---
# At boot the key unlocks the partition; once mounted, logs are plaintext to root.
# Key protection comes from limiting root access itself.
cryptsetup luksOpen /dev/sda3 var_crypt
mount /dev/mapper/var_crypt /var
# --- Minimal local retention: forward and shred ---
# After forwarding off-box, truncate local copy to reduce exposure window
truncate -s 0 /var/log/auth.log
────────────────────────
Forwarding Logs Securely (rsyslog + TLS)
# /etc/rsyslog.d/99-remote.conf (CLIENT side)
# Load TLS module
module(load="imtcp")
global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/etc/ssl/certs/logserver-ca.pem"
DefaultNetstreamDriverCertFile="/etc/ssl/certs/client-cert.pem"
DefaultNetstreamDriverKeyFile="/etc/ssl/private/client-key.pem"
)
# Forward all auth events to central syslog over TLS
auth,authpriv.* action(
type="omfwd"
target="syslog.example.com"
port="6514"
protocol="tcp"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="x509/name" # NOT anon; validate cert CN
StreamDriverPermittedPeers="syslog.example.com"
)
# Restart and verify
systemctl restart rsyslog
journalctl -u rsyslog -n 30 # check for TLS handshake errors
# Alternative: run syslog inside a WireGuard / IPsec VPN tunnel
# plain UDP/TCP syslog but encrypted at the network layer
wg-quick up wg0 && systemctl restart rsyslog
────────────────────────
journald Remote Forwarding
# /etc/systemd/journald.conf
[Journal]
Storage=persistent # ensure journal survives reboot
Compress=yes
ForwardToSyslog=yes # bridge to rsyslog for TLS forwarding above
# OR use systemd-journal-remote (native journal protocol over HTTPS)
# Server: install systemd-journal-remote, enable systemd-journal-remote.socket
# Client:
systemd-journal-upload \
--url=https://logserver.example.com:19532 \
--server-key=/etc/ssl/private/client-key.pem \
--server-certificate=/etc/ssl/certs/client-cert.pem \
--trust=/etc/ssl/certs/logserver-ca.pem
────────────────────────
Integrity: Detecting Tampering
# --- AIDE / Tripwire: hash-based FIM ---
aide --init # build initial database
aide --check # compare against database
# Protect the database itself off-box; on-box DB = useless against root
# --- auditd watches on log files (see rules above) ---
ausearch -k log_tamper # see who touched auth.log
# --- Verify binary log files haven't been zeroed ---
wc -c /var/log/wtmp # size should be non-zero if any logins ever happened
file /var/log/btmp # should be "data", non-empty
# --- Off-box append-only storage ---
# S3 / object-store bucket with Object Lock (WORM) -- once written, cannot be deleted by root
# Central SIEM with immutable indexing (Splunk, Elastic frozen tier, Loki + S3)
────────────────────────
Distro Cheat-Sheet: File Name Equivalents
| Concept | Debian / Ubuntu | RHEL / CentOS / AlmaLinux |
|---|---|---|
| General syslog | /var/log/syslog |
/var/log/messages |
| Auth / sudo / SSH | /var/log/auth.log |
/var/log/secure |
| Package manager | /var/log/dpkg.log |
/var/log/yum.log or /var/log/dnf.log |
| Cron | /var/log/syslog (mixed in) |
/var/log/cron |
/var/log/mail.log |
/var/log/maillog |
|
| Boot messages | /var/log/boot.log |
/var/log/boot.log |
| Audit | /var/log/audit/audit.log |
/var/log/audit/audit.log |
────────────────────────
One-Liner Triage (First 60 Seconds on a Compromised Box)
# Who is/was here?
echo "=== NOW ==="; w; who
echo "=== RECENT ==="; last -F | head -20
echo "=== FAILED ==="; lastb -F 2>/dev/null | head -20
# Recent auth events
echo "=== AUTH ==="; tail -100 /var/log/auth.log 2>/dev/null || journalctl -u sshd -n 50
# Sudo / root escalations
echo "=== SUDO ==="; grep sudo /var/log/auth.log | tail -20
# Cron / persistence
echo "=== CRON ==="; tail -50 /var/log/cron 2>/dev/null; crontab -l 2>/dev/null; ls /etc/cron*
# Package installs (attacker tooling)
echo "=== PKGS ==="; tail -50 /var/log/dpkg.log 2>/dev/null || tail -50 /var/log/yum.log 2>/dev/null
# Signs of log wipe
echo "=== WTMP SIZE ==="; wc -c /var/log/wtmp /var/log/btmp
echo "=== AUTH SIZE ==="; wc -c /var/log/auth.log 2>/dev/null || echo "missing"
────────────────────────
Resources
| Type | Resource |
|---|---|
| Basics | Last9 – What is /var/log: Understanding Linux System Logs |
| Basics | Loggly – Linux Logging Basics – The Ultimate Guide |
| Basics | Plesk – Linux Logs Explained: A Complete Guide for Sysadmins |
| Security | Elastic – Grokking the Linux authorization logs |
| Security | Last9 – Linux Security Logs: Complete Guide for DevOps and SysAdmins |
| Security | Contabo – Linux Logs Explained: Boost Your System's Performance and Security |
| DFIR / SOC | Huntress – What are log files? Log File Explained for Cybersecurity |
| DFIR / SOC | YouTube – Crash Course: Linux Log Analysis | Beginner Guide for SOC Analyst |
| Encryption | Reddit – Securing rsyslog (TLS modes, StreamDriverAuthMode) |
#BlueTeam #RedTeam #Linux #Logs #DFIR #Forensics #CyberSecurity #SOC #auditd #rsyslog