# Linux Forensics Logs ### 1. System Logs ``` /var/log/syslog (Debian-based systems): Logs system messages and information about startup services. /var/log/messages (Red Hat-based systems): General-purpose system log containing kernel and application messages. /var/log/dmesg: Kernel ring buffer messages, useful for identifying hardware and driver issues. ``` *** ### 2. Authentication and Access Logs ``` /var/log/auth.log (Debian-based systems): Logs all authentication activities such as logins, SSH, sudo, and PAM events. /var/log/secure (Red Hat-based systems): Equivalent to auth.log, logs authentication and security events. /var/log/faillog: Records failed login attempts. /var/log/lastlog: Tracks the last login of each user. /var/log/wtmp and /var/log/btmp: Binary files tracking login sessions (wtmp) and failed logins (btmp). Use last and lastb commands to read them ``` *** ### 3. Process and Task Monitoring ``` /var/log/cron: Logs cron job execution. /var/log/atop: Advanced system and process resource monitoring logs. /proc/: Dynamic runtime system information, including process details (e.g., /proc/). ``` *** ### 4. Network Logs ``` /var/log/ufw.log: Logs generated by the Uncomplicated Firewall (UFW). /var/log/firewalld: Logs generated by firewalld. /var/log/iptables.log (if configured): Tracks firewall rule activities. /var/log/suricata.log or /var/log/snort.log: Logs generated by IDS/IPS tools (if installed). /var/log/audit/audit.log: Contains SELinux denials and audit-related network activities. /var/log/maillog or /var/log/mail.log: Email server logs for detecting phishing or malware campaigns. /etc/hosts :Maps hostnames to IP addresses /etc/resolv.conf : Configures DNS servers /etc/network/ : Networking configuration files /etc/ufw/ : Contains firewall configurations /etc/hosts.allow : Controls access to network services via TCP Wrappers /etc/hosts.deny ``` *** ### 5. Application and Service Logs ``` /var/log/apache2/: Logs for Apache web server (e.g., access and error logs). /var/log/apache2/access.log : Analyzes requests /var/log/nginx/: Logs for NGINX web server. /var/log/mysql/: Logs for MySQL/MariaDB database activities. /var/log/postgresql/: Logs for PostgreSQL database activities. /var/log/docker.log: Logs related to Docker container activities. /var/lib/docker/containers/: Individual container logs. ``` *** ### 6. User Activity Monitoring ``` ~/.bash_history: Tracks user command history (can be tampered with). ~/.zsh_history: Similar to bash_history for Zsh shell. /var/log/sudo.log: Logs all sudo command usage. /var/log/user.log: Contains user-specific actions and process ``` *** ### 7. File Integrity and Change Monitoring ``` /var/log/audit/audit.log: Tracks system changes and file access (useful for forensic analysis with auditd). /var/log/tripwire/report/: Logs from Tripwire file integrity monitoring (if installed). /var/log/inotify/ (if configured): Logs file system change events monitored using inotify ``` *** ### 8. System and Package Updates ``` /var/log/apt/: Logs for package management activities (Debian-based systems). /var/log/yum.log or /var/log/dnf.log: Logs for package management (Red Hat-based systems). /var/log/samba : Logs file-sharing activities for Samba servers - Track unauthorized access to shared resources /var/log/nfslog : Tracks access to Network File System shares. ``` *** ### 9. Boot and Initialization Logs ``` /var/log/boot.log: Logs generated during system boot. /var/log/kern.log: Kernel-specific events during system operation and boot. ``` *** ### 10. Miscellaneous Logs ``` /var/log/xorg.0.log: X server (GUI) logs. /var/log/cloud-init.log: Logs for cloud instance initialization. /var/log/rkhunter.log: Logs from Rootkit Hunter scans (if installed). ``` *** ### 11. Cron Jobs and Task Scheduling ``` /etc/crontab : logs the execution of scheduled tasks via cron and Identify unauthorized or suspicious cron jobs. /var/spool/cron/crontabs/ /etc/systemd/system/persistence.service/ ``` ### 12. Mail and Communication ``` /var/log/mail.log :Monitors outgoing and incoming email messages and Look for spam activity or data exfiltration /var/log/maillog ``` ### 13. Cloud and Remote Management Logs ``` /etc/ssh/sshd_config /etc/ssh/authorized_keys ~/.aws/cli/cache ``` ### 14. User credentials ``` /usr/bin/passwd /etc/passwd : Lists all system users. /etc/shadow : Stores hashed passwords for users /etc/group : Defines group memberships ``` *** ### 15. Security Policies and Controls ``` /etc/sudoers : Defines sudo permissions - Check for unauthorized privilege escalation ``` *** ### 16. Investigate Time Adjustments ``` grep ntp /var/log/syslog : NTP logs can reveal synchronization history or potential anomalies grep "time correction" /var/log/syslog ``` *** ### 17. Database Logs - tracks database activities, errors, and slow querie ``` /var/log/mysql/error.log /var/log/postgresql/postgresql--main.log ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mahmoud-shaker.gitbook.io/dfir-notes/linux-forensics/linux-forensics-logs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.