# Linux Forensics Logs

### 1. System Logs

```
    /var/log/syslog (Debian-based systems): Logs system messages and information about startup services.
    /var/log/messages (Red Hat-based systems): General-purpose system log containing kernel and application messages.
    /var/log/dmesg: Kernel ring buffer messages, useful for identifying hardware and driver issues.
```

***

### 2. Authentication and Access Logs

```
/var/log/auth.log (Debian-based systems): Logs all authentication activities such as logins, SSH, sudo, and PAM events.
/var/log/secure (Red Hat-based systems): Equivalent to auth.log, logs authentication and security events.
/var/log/faillog: Records failed login attempts.
/var/log/lastlog: Tracks the last login of each user.
/var/log/wtmp and /var/log/btmp: Binary files tracking login sessions (wtmp) and failed logins (btmp). Use last and lastb commands to read them
```

***

### 3. Process and Task Monitoring

```
/var/log/cron: Logs cron job execution.
/var/log/atop: Advanced system and process resource monitoring logs.
/proc/: Dynamic runtime system information, including process details (e.g., /proc/<PID>).
```

***

### 4. Network Logs

```
/var/log/ufw.log: Logs generated by the Uncomplicated Firewall (UFW).
/var/log/firewalld: Logs generated by firewalld.
/var/log/iptables.log (if configured): Tracks firewall rule activities.
/var/log/suricata.log or /var/log/snort.log: Logs generated by IDS/IPS tools (if installed).
/var/log/audit/audit.log: Contains SELinux denials and audit-related network activities.
/var/log/maillog or /var/log/mail.log: Email server logs for detecting phishing or malware campaigns.
/etc/hosts :Maps hostnames to IP addresses
/etc/resolv.conf : Configures DNS servers 
/etc/network/     : Networking configuration files
/etc/ufw/            : Contains firewall configurations
/etc/hosts.allow  : Controls access to network services via TCP Wrappers
/etc/hosts.deny
```

***

### 5. Application and Service Logs

```
/var/log/apache2/: Logs for Apache web server (e.g., access and error logs).
/var/log/apache2/access.log  : Analyzes requests
/var/log/nginx/: Logs for NGINX web server.
/var/log/mysql/: Logs for MySQL/MariaDB database activities.
/var/log/postgresql/: Logs for PostgreSQL database activities.
/var/log/docker.log: Logs related to Docker container activities.
/var/lib/docker/containers/: Individual container logs.
```

***

### 6. User Activity Monitoring

```
~/.bash_history: Tracks user command history (can be tampered with).
~/.zsh_history: Similar to bash_history for Zsh shell.
/var/log/sudo.log: Logs all sudo command usage.
/var/log/user.log: Contains user-specific actions and process
```

***

### 7. File Integrity and Change Monitoring

```
    /var/log/audit/audit.log: Tracks system changes and file access (useful for forensic analysis with auditd).
    /var/log/tripwire/report/: Logs from Tripwire file integrity monitoring (if installed).
    /var/log/inotify/ (if configured): Logs file system change events monitored using inotify
```

***

### 8. System and Package Updates

```
/var/log/apt/: Logs for package management activities (Debian-based systems).
/var/log/yum.log or /var/log/dnf.log: Logs for package management (Red Hat-based systems).
/var/log/samba  : Logs file-sharing activities for Samba servers - Track unauthorized access to shared resources
/var/log/nfslog  :  Tracks access to Network File System shares.
```

***

### 9. Boot and Initialization Logs

```
/var/log/boot.log: Logs generated during system boot.
/var/log/kern.log: Kernel-specific events during system operation and boot.
```

***

### 10. Miscellaneous Logs

```
/var/log/xorg.0.log: X server (GUI) logs.
/var/log/cloud-init.log: Logs for cloud instance initialization.
/var/log/rkhunter.log: Logs from Rootkit Hunter scans (if installed).
```

***

### 11. Cron Jobs and Task Scheduling

```
/etc/crontab : logs the execution of scheduled tasks via cron and Identify unauthorized or suspicious cron jobs. /var/spool/cron/crontabs/
/etc/systemd/system/persistence.service/
```

### 12. Mail and Communication

```
/var/log/mail.log :Monitors outgoing and incoming email messages and Look for spam activity or data exfiltration /var/log/maillog
```

### 13. Cloud and Remote Management Logs

```
/etc/ssh/sshd_config
/etc/ssh/authorized_keys
~/.aws/cli/cache
```

### 14. User credentials

```
/usr/bin/passwd
/etc/passwd : Lists all system users. 
/etc/shadow : Stores hashed passwords for users
/etc/group    : Defines group memberships 
```

***

### 15. Security Policies and Controls

```
/etc/sudoers : Defines sudo permissions - Check for unauthorized privilege escalation
```

***

### 16. Investigate Time Adjustments

```
grep ntp /var/log/syslog : NTP logs can reveal synchronization history or potential anomalies 
grep "time correction" /var/log/syslog
```

***

### 17. Database Logs - tracks database activities, errors, and slow querie

```
/var/log/mysql/error.log 
/var/log/postgresql/postgresql--main.log
```