Logs and System Auditing
Logs and System Auditing in Linux
Logs and auditing are critical components of Linux security. They help system administrators and cybersecurity professionals monitor system activity, detect anomalies, and investigate security incidents. This module covers how to work with logs and perform basic system auditing.
1. Understanding Linux Logs
Linux maintains logs to record system events, application activity, and security-related actions.
Types of Logs:
| Log File | Purpose |
|---|---|
/var/log/syslog |
General system messages |
/var/log/auth.log |
Authentication attempts and sudo usage |
/var/log/kern.log |
Kernel events |
/var/log/dmesg |
Boot-time messages |
/var/log/faillog |
Failed login attempts |
/var/log/secure |
Security events (Red Hat-based systems) |
Why logs matter for cybersecurity:
- Detect unauthorized access
- Monitor system performance
- Investigate suspicious behavior
- Maintain compliance and auditing records
2. Viewing Logs with journalctl
Modern Linux systems using systemd store logs in a binary journal accessible via journalctl.
Common Commands:
View all logs:
sudo journalctl
View logs in real-time:
sudo journalctl -f
View logs for a specific service (e.g., SSH):
sudo journalctl -u ssh
View logs from the current boot:
sudo journalctl -b
3. Monitoring Login Attempts
Tracking login activity is essential for detecting unauthorized access attempts.
Check Authentication Logs:
sudo cat /var/log/auth.log
Common commands for login monitoring:
- Last successful logins:
last
- Last failed login attempts:
sudo faillog -a
- Check who is currently logged in:
who
4. Detecting Suspicious Activities
Cybersecurity professionals look for anomalies or unusual behavior in logs:
- Multiple failed login attempts → potential brute-force attack
- Login from unknown IP addresses → unauthorized access
- Unexpected service restarts → potential compromise
- System error spikes → malware or misconfiguration
Example: Detect repeated failed logins
sudo grep "Failed password" /var/log/auth.log
Example: Monitor sudo usage
sudo grep "sudo" /var/log/auth.log
Automate monitoring with watch:
watch -n 10 'sudo tail -n 20 /var/log/auth.log'
This command updates the last 20 lines of the log every 10 seconds, providing near real-time monitoring.
Cybersecurity Importance
- Logs are the first place to identify intrusions or policy violations
- Regular auditing prevents unauthorized access and data breaches
- Helps build a timeline of security events during investigations
- Supports compliance with regulations and internal policies
Module Summary
Students should now understand:
- The types of Linux logs and their purposes
- How to view logs with
journalctland traditional log files - How to monitor login attempts and active sessions
- How to detect suspicious or malicious activities
- The role of logs and auditing in maintaining Linux security