Linux Fundamentals - System Logs - Nikola's Digital Garden

#readwise # Linux Fundamentals - System Logs ![rw-book-cover](https://readwise-assets.s3.amazonaws.com/static/images/article0.00998d930354.png) ## Metadata - Author: [[Hack The Box]] - Full Title: Linux Fundamentals - System Logs - URL: https://academy.hackthebox.com/module/18/section/2100 ## Summary System logs on Linux are files that record important information about system activities and security events. They help monitor system behavior and identify potential vulnerabilities. Different types of logs include kernel logs, system logs, authentication logs, application logs, and security logs. Analyzing these logs is crucial for detecting issues and improving overall system security. ## Highlights System logs on Linux are a set of files that contain information about the system and the activities taking place on it. These logs are important for monitoring and troubleshooting the system, as they can provide insights into system behavior, application activity, and security events. These system logs can be a valuable source of information for identifying potential security weaknesses and vulnerabilities within a Linux system as well. ([View Highlight](https://read.readwise.io/read/01jnay7fnp7tvaq739y6195atv)) --- There are several different types of system logs on Linux, including: - Kernel Logs - System Logs - Authentication Logs - Application Logs - Security Logs ([View Highlight](https://read.readwise.io/read/01jnay8k94p7820fbv1ntfkcna)) --- ### Kernel logs These logs contain information about the system's kernel, including hardware drivers, system calls, and kernel events. They are stored in the `/var/log/kern.log` file. For example, kernel logs can reveal the presence of vulnerable or outdated drivers that could be targeted by attackers to gain access to the system. They can also provide insights into system crashes, resource limitations, and other events that could lead to a denial of service or other security issues. In addition, kernel logs can help us identify suspicious system calls or other activities that could indicate the presence of malware or other malicious software on the system. By monitoring the `/var/log/kern.log` file, we can detect any unusual behavior and take appropriate action to prevent further damage to the system. ([View Highlight](https://read.readwise.io/read/01jnay9hx5xhyx7mmx07y1s8pg)) --- ### System logs These logs contain information about system-level events, such as service starts and stops, login attempts, and system reboots. They are stored in the `/var/log/syslog` file. By analyzing login attempts, service starts and stops, and other system-level events, we can detect any possible access or activities on the system. This can help us identify any vulnerabilities that could be exploited and help us recommend security measures to mitigate these risks. In addition, we can use the `syslog` to identify potential issues that could impact the availability or performance of the system, such as failed service starts or system reboots. ([View Highlight](https://read.readwise.io/read/01jnayaghgs69thw1e1z7ns9e6)) --- ### Authentication logs These logs contain information about user authentication attempts, including successful and failed attempts. They are stored in the `/var/log/auth.log` file. It is important to note that while the `/var/log/syslog` file may contain similar login information, the `/var/log/auth.log` file specifically focuses on user authentication attempts, making it a more valuable resource for identifying potential security threats. Therefore, it is essential for penetration testers to review the logs stored in the `/var/log/auth.log` file to ensure that the system is secure and has not been compromised. ([View Highlight](https://read.readwise.io/read/01jnaybfh51tc81zhej199vqjc)) --- ### Application logs These logs contain information about the activities of specific applications running on the system. They are often stored in their own files, such as `/var/log/apache2/error.log` for the Apache web server or `/var/log/mysql/error.log` for the MySQL database server. These logs are particularly important when we are targeting specific applications, such as web servers or databases, as they can provide insights into how these applications are processing and handling data. By examining these logs, we can identify potential vulnerabilities or misconfigurations. For example, access logs can be used to track requests made to a web server, while audit logs can be used to track changes made to the system or to specific files. These logs can be used to identify unauthorized access attempts, data exfiltration, or other suspicious activity. ([View Highlight](https://read.readwise.io/read/01jnaye4we5qnnw760p2wk61gx)) --- access and audit logs are critical logs that record information about the actions of users and processes on the system. They are crucial for security and compliance purposes, and we can use them to identify potential security issues and attack vectors. For example, `access logs` keep a record of user and process activity on the system, including login attempts, file accesses, and network connections. `Audit logs` record information about security-relevant events on the system, such as modifications to system configuration files or attempts to modify system files or settings. These logs help track potential attacks and activities or identify security breaches or other issues. ([View Highlight](https://read.readwise.io/read/01jnayf0emkt1whyw066arqgex)) --- On Linux systems, most common services have default locations for access logs: | Service | Description | | ------------ | ------------------------------------------------------------------------------------------------------------- | | `Apache` | Access logs are stored in the `/var/log/apache2/access.log` file (or similar, depending on the distribution). | | `Nginx` | Access logs are stored in the `/var/log/nginx/access.log` file (or similar). | | `OpenSSH` | Access logs are stored in the `/var/log/auth.log` file on Ubuntu and in /var/log/secure on CentOS/RHEL. | | `MySQL` | Access logs are stored in the `/var/log/mysql/mysql.log` file. | | `PostgreSQL` | Access logs are stored in the `/var/log/postgresql/postgresql-version-main.log` file. | | `Systemd` | Access logs are stored in the `/var/log/journal/` directory. | ([View Highlight](https://read.readwise.io/read/01jnayfvfyy81mtd5cpa84kqh0)) --- ### Security logs These security logs and their events are often recorded in a variety of log files, depending on the specific security application or tool in use. For example, the Fail2ban application records failed login attempts in the `/var/log/fail2ban.log` file, while the UFW firewall records activity in the `/var/log/ufw.log` file. Other security-related events, such as changes to system files or settings, may be recorded in more general system logs such as `/var/log/syslog` or `/var/log/auth.log`. ([View Highlight](https://read.readwise.io/read/01jnaygzq8hsp3tpww8n7bxp6j)) ---