Linux system logs are text files that record system events, user activities, authentication attempts, application errors, and security incidents. They are constantly login events from applications and kernel activity. For cybersecurity professionals logs are critical for detecting suspicious activity like failed login attempts, privilege escalations, and unauthorized access although attackers often try to modify logs to hide their tracks.
Here is some basic information about different Linux logs, where they are stored, and what they contain.
Kernel logs
Located in /var/log/kern.log they contain info about kernel, hardware drivers, system calls, and kernel events. They can reveal outdated drivers and provide insights into system crashes, resource limitations, and other events that can lead to DoS. They can also help identify suspicious system calls or other activities that could indicate the presence of malware or other malicious software in the system. You can modify the kern.log file to detect unusual behavior.
System logs
Located in /var/log/syslog file and contains information about system-level events such as starts, stops, logins, reboots, etc. Can be used to identify any vulnerabilities that could be exploited.
Authentication logs
Located in /var/log/auth.log and specifically focuses on user authentication attempts making it a valuable resource for identifying potential security threats. We can see info such as what group a user is a member of.
Application Logs
These contain information about the activities of specific applications running on the system and are particularly important when targeting such applications such as web servers and databases (located at /var/log/apache2/error.log & /var/log/mysql/error.log). They can be analyzed to view unauthorized access attempts or data exfiltration. For example, access logs keep a record of user and process activity on the system, including login attempts, file accesses, and network connections. Audit logs record information about security-relevant events on the system, such as modifications to system configuration files or attempts to modify system files or settings.
Security Logs
These logs are stored across multiple file locations. It’s important to understand where certain security logs for specific events are located and how to use ‘tail’, ‘grep’, and ‘sed’ commands to find them.