# Logs ## Enumerate

Command	Description
`journalctl`	Logs from the systemd journal, includes system service logs and kernel messages.
`dmesg`	System message buffer, containing kernel-related messages from boot time.
`ls -ltr /var/log/`	Lists all log files in the /var/log directory in reverse chronological order.
`grep 'keyword' /var/log/syslog`	Searches for 'keyword' in the syslog file.
`grep -R <service-name> /var/log`	Recursive search of all logs for keyword.
`awk '/^Sep 10/,/^Sep 12/' /var/log/syslog`	Extracts log entries between September 10 and September 12 from the syslog.
`find /var/log -type f -mtime -7`	Finds log files modified in the last 7 days.
`zgrep 'keyword' /var/log/syslog*.gz`	Searches for 'keyword' in compressed log files in /var/log.
`cat /var/log/messages`	Display system messages.
`cat /var/log/auth.log`	Display authentication logs.
`cat /var/log/syslog`	Display system log.
`strings /var/log/wtmp`	Find strings.
`head /var/log/secure`	Shows top 10 lines.

Check multiple logs for info: ```bash file /var/log/secure; file /var/log/wtmp; file /var/log/messages ``` Search for keyword in datetime range: {% code overflow="wrap" %} ```bash grep "keyword" /var/log/syslog | awk '$1 " " $2 ]= "start_datetime" && $1 " " $2 [= "end_datetime" ``` {% endcode %} {% code overflow="wrap" %} ```bash grep "error" /var/log/syslog | awk '$1 " " $2 ]= "2024-01-01 08:00:00" && $1 " " $2 [= "2024-01-02 12:00:00" ``` {% endcode %} Systemd search for keyword in datetime range: ```bash journalctl --since [start_date] --until [end_date] | grep [keyword] ``` {% code overflow="wrap" %} ```bash journalctl --since "2024-02-07 10:00:00" --until "2024-02-07 12:00:00" | grep [keyword] ``` {% endcode %} SysV search for keyword in datetime range: {% code overflow="wrap" %} ```bash tail -n 1000 /var/log/messages | grep -E "[start_date] [start_time].[end_date] [end_time].[keyword]" ``` {% endcode %} SysV search for keyword in datetime range (Seperate commands): {% code overflow="wrap" %} ```bash cat /var/log/messages | grep -E "[start_date] [start_time]" | grep -E "[end_date] [end_time]" | grep [keyword] ``` {% endcode %} ### Typical Logs #### System-wide logs: /var/log: This is the most common location for system-wide logs on SysV-based systems. It usually contains files like messages, auth.log, kern.log, etc. /var/log/journal: This is the central location for system logs under Systemd. It stores logs in a structured format using the journald service. /var/log/audit: This directory stores audit logs related to user activity and system events. #### Application-specific logs: Check application documentation or configuration files for their specific log locations. They might be under /var/log or in application-specific directories like /var/log/\. ### Common Log Locations | Log File | Description | | ------------------------------------- | ---------------------------------------------------------------------------------- | | /var/log/auth.log | Contains authentication-related logs, including login attempts and failures. | | /var/log/syslog | General system log file containing messages from various system services. | | /var/log/messages | Another system log file similar to syslog, often used by older Unix systems. | | /var/log/secure | Contains security-related logs, including authentication and authorization events. | | /var/log/audit/audit.log | Contains audit logs generated by the Linux audit subsystem for security analysis. | | /var/log/daemon.log | Contains logs specific to daemon processes, such as syslogd or sshd. | | /var/log/kern.log | Contains kernel-related logs, including hardware errors and kernel messages. | | /var/log/cron | Contains logs related to cron jobs, including scheduled tasks and job output. | | /var/log/maillog or /var/log/mail.log | Contains logs related to email services, such as sendmail or postfix. | | /var/log/httpd/access\_log | Contains access logs for the Apache HTTP server. | | /var/log/httpd/error\_log | Contains error logs for the Apache HTTP server. | | /var/log/nginx/access.log | Contains access logs for the Nginx web server. | | /var/log/nginx/error.log | Contains error logs for the Nginx web server. | | /var/log/mysql/error.log | Contains error logs for the MySQL database server. | | /var/log/mysql/mysql.log | Contains general logs for the MySQL database server. | | /var/log/sshd.log | Contains logs specific to the SSH daemon. | | /var/log/lastlog | Contains information about the last login times of users. | | /var/log/wtmp | Contains information about user logins, logouts, and system reboots. | | /var/log/apache2/ or /var/log/httpd/ | Web server access and error logs. | | /var/log/boot.log | System boot messages. | | /var/log/dmesg | Kernel ring buffer messages, useful for hardware and driver messages. | ### Syslog Potential Log Locations: \ /etc/syslog /etc/syslog.conf /etc/syslog/syslog/syslog.conf #### Faculties: What is being logged **Auth (or Authpriv)**: User logins/failed logins. Any security logs will probably be stored here. **Kern**: Basically system logs. System crashes. System on/off. **Mail**: Any logs from the mail daemon. **Cron**: Any logs from the crond. Typically these are debug messages. Job completions. **News**: Network news subsystem (not usually seen) **LPR**: Printer logs. **User**: User applications **Local 0-7**: Reserved for local system use. They are custom logs so they can be customized to log whatever you want. #### Priority: At what level it is being logged **7** - **Debug**: Debug info **6** - **Info**: Just info **5** - **Notice**: Normal but significant info **4** - **Warning**: Significant info **3** - **Error**: Something can't run **2** - **Critical**: Very significant info **1** - **Alert**: Something is happening **0** - **Emergency**: System crash Examples: Kern.0 /var/log/kern This means log kernel emergency messages to /var/log/kern \*.0 /var/log/emrg This means log every faculty emergency message to /var/log/emrg ### Rsyslog Potential Log Locations:\ /etc/rsyslog /etc/rsyslog.conf /etc/rsyslog/rsyslog/rsyslog.conf ## Modify `sed -i` will modify the original file. Look for lines containing pattern in file.txt and replaces oldKeyword with newKeyword on those lines. Could use this to look for timestamps in logs and modify the user of the actions or change the actions to something less suspect. ```bash sed -i '/pattern/s/oldKeyword/newKeyword/' file.txt ``` Replace keyword within datetime range: {% code overflow="wrap" %} ```bash sed -i '/start_date start_time/,/end_date end_time/s/old_keyword/new_keyword/g' filename ``` {% endcode %} {% code overflow="wrap" %} ```bash sed -i '/2024-01-01 08:00:00/,/2024-01-02 12:00:00/s/error/warning/g' example.log ``` {% endcode %}