Logs

Enumerate

journalctl

Logs from the systemd journal, includes system service logs and kernel messages.

dmesg

System message buffer, containing kernel-related messages from boot time.

ls -ltr /var/log/

Lists all log files in the /var/log directory in reverse chronological order.

grep 'keyword' /var/log/syslog

Searches for 'keyword' in the syslog file.

grep -R <service-name> /var/log

Recursive search of all logs for keyword.

awk '/^Sep 10/,/^Sep 12/' /var/log/syslog

Extracts log entries between September 10 and September 12 from the syslog.

find /var/log -type f -mtime -7

Finds log files modified in the last 7 days.

zgrep 'keyword' /var/log/syslog*.gz

Searches for 'keyword' in compressed log files in /var/log.

cat /var/log/messages

Display system messages.

cat /var/log/auth.log

Display authentication logs.

cat /var/log/syslog

Display system log.

strings /var/log/wtmp

Find strings.

head /var/log/secure

Shows top 10 lines.

Check multiple logs for info:

file /var/log/secure; file /var/log/wtmp; file /var/log/messages

Search for keyword in datetime range:

grep "keyword" /var/log/syslog | awk '$1 " " $2 ]= "start_datetime" && $1 " " $2 [= "end_datetime"

grep "error" /var/log/syslog | awk '$1 " " $2 ]= "2024-01-01 08:00:00" && $1 " " $2 [= "2024-01-02 12:00:00"

Systemd search for keyword in datetime range:

journalctl --since [start_date] --until [end_date] | grep [keyword]

journalctl --since "2024-02-07 10:00:00" --until "2024-02-07 12:00:00" | grep [keyword]

SysV search for keyword in datetime range:

tail -n 1000 /var/log/messages | grep -E "[start_date] [start_time].[end_date] [end_time].[keyword]"

SysV search for keyword in datetime range (Seperate commands):

cat /var/log/messages | grep -E "[start_date] [start_time]" | grep -E "[end_date] [end_time]" | grep [keyword]

Typical Logs

System-wide logs:

/var/log: This is the most common location for system-wide logs on SysV-based systems. It usually contains files like messages, auth.log, kern.log, etc.

/var/log/journal: This is the central location for system logs under Systemd. It stores logs in a structured format using the journald service.

/var/log/audit: This directory stores audit logs related to user activity and system events.

Application-specific logs:

Check application documentation or configuration files for their specific log locations. They might be under /var/log or in application-specific directories like /var/log/<application_name>.

Common Log Locations

Log File

Description

/var/log/auth.log

Contains authentication-related logs, including login attempts and failures.

/var/log/syslog

General system log file containing messages from various system services.

/var/log/messages

Another system log file similar to syslog, often used by older Unix systems.

/var/log/secure

Contains security-related logs, including authentication and authorization events.

/var/log/audit/audit.log

Contains audit logs generated by the Linux audit subsystem for security analysis.

/var/log/daemon.log

Contains logs specific to daemon processes, such as syslogd or sshd.

/var/log/kern.log

Contains kernel-related logs, including hardware errors and kernel messages.

/var/log/cron

Contains logs related to cron jobs, including scheduled tasks and job output.

/var/log/maillog or /var/log/mail.log

Contains logs related to email services, such as sendmail or postfix.

/var/log/httpd/access_log

Contains access logs for the Apache HTTP server.

/var/log/httpd/error_log

Contains error logs for the Apache HTTP server.

/var/log/nginx/access.log

Contains access logs for the Nginx web server.

/var/log/nginx/error.log

Contains error logs for the Nginx web server.

/var/log/mysql/error.log

Contains error logs for the MySQL database server.

/var/log/mysql/mysql.log

Contains general logs for the MySQL database server.

/var/log/sshd.log

Contains logs specific to the SSH daemon.

/var/log/lastlog

Contains information about the last login times of users.

/var/log/wtmp

Contains information about user logins, logouts, and system reboots.

/var/log/apache2/ or /var/log/httpd/

Web server access and error logs.

/var/log/boot.log

System boot messages.

/var/log/dmesg

Kernel ring buffer messages, useful for hardware and driver messages.

Syslog

Potential Log Locations: /etc/syslog

/etc/syslog.conf

/etc/syslog/syslog/syslog.conf

Faculties: What is being logged

Auth (or Authpriv): User logins/failed logins. Any security logs will probably be stored here.

Kern: Basically system logs. System crashes. System on/off.

Mail: Any logs from the mail daemon.

Cron: Any logs from the crond. Typically these are debug messages. Job completions.

News: Network news subsystem (not usually seen)

LPR: Printer logs.

User: User applications

Local 0-7: Reserved for local system use. They are custom logs so they can be customized to log whatever you want.

Priority: At what level it is being logged

7 - Debug: Debug info

6 - Info: Just info

5 - Notice: Normal but significant info

4 - Warning: Significant info

3 - Error: Something can't run

2 - Critical: Very significant info

1 - Alert: Something is happening

0 - Emergency: System crash

Examples:

Kern.0 /var/log/kern

This means log kernel emergency messages to /var/log/kern

*.0 /var/log/emrg

This means log every faculty emergency message to /var/log/emrg

Rsyslog

Potential Log Locations: /etc/rsyslog

/etc/rsyslog.conf

/etc/rsyslog/rsyslog/rsyslog.conf

Modify

sed -i will modify the original file.

Look for lines containing pattern in file.txt and replaces oldKeyword with newKeyword on those lines. Could use this to look for timestamps in logs and modify the user of the actions or change the actions to something less suspect.

sed -i '/pattern/s/oldKeyword/newKeyword/' file.txt

Replace keyword within datetime range:

sed -i '/start_date start_time/,/end_date end_time/s/old_keyword/new_keyword/g' filename

sed -i '/2024-01-01 08:00:00/,/2024-01-02 12:00:00/s/error/warning/g' example.log

PreviousHistory NextFile Ops

Last updated 1 year ago

Was this helpful?