How to audit logs in Linux

How to Audit Logs in Linux Linux log auditing is a critical skill for system administrators, security professionals, and DevOps engineers. Proper log analysis helps maintain system security, troubleshoot issues, monitor performance, and ensure compliance with organizational policies. This comprehensive guide will walk you through everything you need to know about auditing logs in Linux systems, from basic concepts to advanced techniques. Table of Contents 1. [Understanding Linux Logging System](#understanding-linux-logging-system) 2. [Prerequisites and Requirements](#prerequisites-and-requirements) 3. [Essential Log Files and Locations](#essential-log-files-and-locations) 4. [Basic Log Auditing Commands](#basic-log-auditing-commands) 5. [Advanced Log Analysis Techniques](#advanced-log-analysis-techniques) 6. [Security Log Auditing](#security-log-auditing) 7. [Automated Log Monitoring](#automated-log-monitoring) 8. [Log Management Best Practices](#log-management-best-practices) 9. [Troubleshooting Common Issues](#troubleshooting-common-issues) 10. [Professional Tips and Insights](#professional-tips-and-insights) Understanding Linux Logging System Linux systems generate extensive logs that record system events, user activities, application behaviors, and security incidents. The logging infrastructure typically consists of several components: System Logging Daemons Syslog: The traditional logging daemon that handles system messages Rsyslog: An enhanced version of syslog with advanced features Systemd-journald: Modern logging service integrated with systemd Log Severity Levels Linux uses standardized severity levels for log messages: - Emergency (0): System is unusable - Alert (1): Action must be taken immediately - Critical (2): Critical conditions - Error (3): Error conditions - Warning (4): Warning conditions - Notice (5): Normal but significant condition - Info (6): Informational messages - Debug (7): Debug-level messages Prerequisites and Requirements Before diving into log auditing, ensure you have: System Access - Root or sudo privileges for accessing system logs - SSH access to remote systems (if applicable) - Basic understanding of Linux command line Essential Tools Most Linux distributions include these tools by default: - `grep`, `awk`, `sed` for text processing - `tail`, `head`, `less` for file viewing - `journalctl` for systemd logs - `logrotate` for log management Optional Advanced Tools ```bash Install additional log analysis tools sudo apt-get install multitail logwatch fail2ban # Debian/Ubuntu sudo yum install multitail logwatch fail2ban # RHEL/CentOS ``` Essential Log Files and Locations Understanding where logs are stored is fundamental to effective auditing. Primary Log Directory ```bash /var/log/ # Main log directory ``` Critical System Logs Authentication and Security Logs ```bash /var/log/auth.log # Authentication events (Debian/Ubuntu) /var/log/secure # Authentication events (RHEL/CentOS) /var/log/faillog # Failed login attempts /var/log/lastlog # Last login information ``` System Operation Logs ```bash /var/log/syslog # General system messages /var/log/messages # System messages (RHEL/CentOS) /var/log/kern.log # Kernel messages /var/log/dmesg # Boot messages ``` Application and Service Logs ```bash /var/log/apache2/ # Apache web server logs /var/log/nginx/ # Nginx web server logs /var/log/mysql/ # MySQL database logs /var/log/cron.log # Cron job execution logs ``` Viewing Log File Structure ```bash List all log files with details ls -la /var/log/ Check log file sizes du -sh /var/log/* Display log file types file /var/log/* ``` Basic Log Auditing Commands Real-time Log Monitoring Using tail Command ```bash Monitor log file in real-time tail -f /var/log/syslog Monitor multiple files simultaneously tail -f /var/log/syslog /var/log/auth.log Show last 100 lines and follow tail -n 100 -f /var/log/messages ``` Using journalctl for Systemd Logs ```bash View all journal entries journalctl Follow journal in real-time journalctl -f Show logs from last boot journalctl -b Filter by service journalctl -u ssh.service ``` Searching and Filtering Logs Basic grep Operations ```bash Search for specific terms grep "Failed password" /var/log/auth.log Case-insensitive search grep -i "error" /var/log/syslog Search with line numbers grep -n "sudo" /var/log/auth.log Count occurrences grep -c "Failed password" /var/log/auth.log ``` Advanced Pattern Matching ```bash Search for IP addresses grep -E "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /var/log/auth.log Search for time ranges grep "Dec 15 1[0-5]:" /var/log/syslog Multiple pattern search grep -E "(error|warning|critical)" /var/log/syslog ``` Date and Time Filtering Using awk for Date Filtering ```bash Extract entries from specific date awk '/Dec 15/ {print}' /var/log/syslog Filter by time range awk '/Dec 15 14:/ && /Dec 15 15:/ {print}' /var/log/syslog ``` Using sed for Log Processing ```bash Remove timestamps for cleaner output sed 's/^[A-Z][a-z][a-z] [0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]//' /var/log/syslog Extract specific fields sed -n 's/.\(Failed password\)./\1/p' /var/log/auth.log ``` Advanced Log Analysis Techniques Statistical Analysis Analyzing Failed Login Attempts ```bash Count failed login attempts by user grep "Failed password" /var/log/auth.log | awk '{print $(NF-5)}' | sort | uniq -c | sort -nr Analyze failed attempts by IP address grep "Failed password" /var/log/auth.log | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort | uniq -c | sort -nr Failed attempts by hour grep "Failed password" /var/log/auth.log | awk '{print $3}' | cut -d: -f1 | sort | uniq -c ``` System Resource Monitoring ```bash Analyze disk space warnings grep -i "disk\|space\|full" /var/log/syslog | tail -20 Memory-related issues grep -i "memory\|oom\|killed" /var/log/syslog CPU usage patterns grep -i "cpu\|load" /var/log/syslog ``` Creating Custom Log Analysis Scripts Basic Log Analysis Script ```bash #!/bin/bash log_analyzer.sh - Basic log analysis script LOG_FILE="/var/log/auth.log" DATE=$(date +%Y-%m-%d) echo "=== Log Analysis Report for $DATE ===" echo echo "Failed Login Attempts:" grep "Failed password" $LOG_FILE | grep "$DATE" | wc -l echo echo "Successful Logins:" grep "Accepted password\|Accepted publickey" $LOG_FILE | grep "$DATE" | wc -l echo echo "Top 5 Failed Login IPs:" grep "Failed password" $LOG_FILE | grep "$DATE" | \ grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | \ sort | uniq -c | sort -nr | head -5 ``` Advanced Log Processing with awk ```bash Complex log analysis awk ' BEGIN { print "=== Security Analysis ===" } /Failed password/ { failed++ split($0, arr, " ") for(i=1; i<=NF; i++) { if(arr[i] ~ /^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/) { ips[arr[i]]++ break } } } /Accepted/ { accepted++ } END { print "Failed attempts:", failed print "Successful logins:", accepted print "\nTop attacking IPs:" for(ip in ips) print ips[ip], ip | "sort -nr" }' /var/log/auth.log ``` Security Log Auditing Monitoring Authentication Events Analyzing Login Patterns ```bash Recent successful logins last -n 20 Failed login attempts with details grep "Failed password" /var/log/auth.log | tail -10 Root login attempts grep "root" /var/log/auth.log | grep -E "(Failed|Accepted)" SSH key authentication grep "Accepted publickey" /var/log/auth.log ``` Detecting Suspicious Activities ```bash Multiple failed attempts from same IP grep "Failed password" /var/log/auth.log | \ awk '{print $(NF-3)}' | sort | uniq -c | \ awk '$1 > 10 {print "Suspicious IP:", $2, "- Failed attempts:", $1}' Unusual login times (outside business hours) grep "Accepted" /var/log/auth.log | \ awk '{ time = $3 hour = substr(time, 1, 2) if(hour < 8 || hour > 18) print "Off-hours login:", $0 }' ``` File System Security Auditing Monitoring File Access ```bash Enable auditd for detailed monitoring sudo systemctl enable auditd sudo systemctl start auditd Add rules for file monitoring sudo auditctl -w /etc/passwd -p wa -k passwd_changes sudo auditctl -w /etc/shadow -p wa -k shadow_changes Search audit logs ausearch -k passwd_changes ``` Checking System Integrity ```bash Monitor critical system files find /etc -name "*.conf" -newer /var/log/dpkg.log 2>/dev/null Check for SUID/SGID files find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -lg {} \; 2>/dev/null ``` Automated Log Monitoring Setting Up Log Rotation Configuring logrotate ```bash Edit logrotate configuration sudo nano /etc/logrotate.conf Example custom log rotation sudo nano /etc/logrotate.d/custom-app ``` ```bash Custom logrotate configuration /var/log/custom-app/*.log { daily rotate 7 compress delaycompress missingok notifempty postrotate systemctl reload custom-app endscript } ``` Creating Automated Monitoring Scripts Cron-based Log Monitoring ```bash Create monitoring script sudo nano /usr/local/bin/log_monitor.sh ``` ```bash #!/bin/bash Automated log monitoring script ALERT_EMAIL="admin@example.com" THRESHOLD=50 Check for excessive failed logins FAILED_COUNT=$(grep "Failed password" /var/log/auth.log | \ grep "$(date +%b\ %d)" | wc -l) if [ $FAILED_COUNT -gt $THRESHOLD ]; then echo "ALERT: $FAILED_COUNT failed login attempts detected today" | \ mail -s "Security Alert - Failed Logins" $ALERT_EMAIL fi Check disk space in log directory DISK_USAGE=$(df /var/log | awk 'NR==2 {print $5}' | sed 's/%//') if [ $DISK_USAGE -gt 80 ]; then echo "ALERT: Log directory is ${DISK_USAGE}% full" | \ mail -s "Disk Space Alert" $ALERT_EMAIL fi ``` Setting up Cron Job ```bash Add to crontab crontab -e Run every hour 0 /usr/local/bin/log_monitor.sh Run daily at 6 AM 0 6 * /usr/local/bin/daily_log_report.sh ``` Using systemd Timers Creating systemd Timer ```bash Create service file sudo nano /etc/systemd/system/log-audit.service ``` ```ini [Unit] Description=Log Audit Service Wants=log-audit.timer [Service] Type=oneshot ExecStart=/usr/local/bin/log_monitor.sh [Install] WantedBy=multi-user.target ``` ```bash Create timer file sudo nano /etc/systemd/system/log-audit.timer ``` ```ini [Unit] Description=Run log audit every hour Requires=log-audit.service [Timer] OnCalendar=hourly Persistent=true [Install] WantedBy=timers.target ``` ```bash Enable and start timer sudo systemctl enable log-audit.timer sudo systemctl start log-audit.timer ``` Log Management Best Practices Storage and Retention Policies Implementing Log Retention ```bash Configure appropriate retention periods Critical security logs: 1 year minimum System logs: 3-6 months Application logs: 1-3 months Debug logs: 1-2 weeks Example retention script find /var/log -name "*.log" -type f -mtime +90 -delete find /var/log -name "*.gz" -type f -mtime +365 -delete ``` Centralized Logging Setup ```bash Configure rsyslog for centralized logging sudo nano /etc/rsyslog.conf Add remote logging . @@log-server.example.com:514 Restart rsyslog sudo systemctl restart rsyslog ``` Security Considerations Log File Permissions ```bash Set appropriate permissions sudo chmod 640 /var/log/auth.log sudo chmod 644 /var/log/syslog sudo chown root:adm /var/log/*.log Verify permissions ls -la /var/log/ | head -10 ``` Log Integrity Protection ```bash Create checksums for critical logs sudo find /var/log -name "*.log" -exec md5sum {} \; > /var/log/checksums.md5 Verify integrity sudo md5sum -c /var/log/checksums.md5 ``` Troubleshooting Common Issues Log File Issues Missing or Empty Log Files ```bash Check if logging service is running systemctl status rsyslog systemctl status systemd-journald Verify log file permissions ls -la /var/log/ Check disk space df -h /var/log Restart logging services sudo systemctl restart rsyslog ``` Log Rotation Problems ```bash Test logrotate configuration sudo logrotate -d /etc/logrotate.conf Force log rotation sudo logrotate -f /etc/logrotate.conf Check logrotate status cat /var/lib/logrotate/status ``` Performance Issues Large Log Files ```bash Find large log files find /var/log -type f -size +100M -exec ls -lh {} \; Compress old logs gzip /var/log/*.log.1 Use log sampling for analysis sed -n '1~10p' /var/log/large-file.log > sample.log ``` Memory and CPU Usage ```bash Monitor resource usage during log analysis top -p $(pgrep -f "grep\|awk\|sed") Use more efficient commands Instead of: cat large.log | grep pattern Use: grep pattern large.log Limit output for large results grep "pattern" /var/log/huge.log | head -1000 ``` Common Error Scenarios Permission Denied Errors ```bash Add user to appropriate groups sudo usermod -a -G adm username sudo usermod -a -G systemd-journal username Use sudo for privileged logs sudo tail -f /var/log/auth.log ``` Corrupted Log Files ```bash Check file integrity file /var/log/suspicious.log Attempt recovery strings /var/log/corrupted.log > recovered.log Restore from backup sudo cp /backup/var/log/important.log /var/log/ ``` Professional Tips and Insights Advanced Techniques Log Correlation Analysis ```bash Correlate events across multiple logs join -t' ' -1 3 -2 3 \ <(grep "user_activity" /var/log/app.log | sort -k3) \ <(grep "authentication" /var/log/auth.log | sort -k3) ``` Performance Optimization ```bash Use parallel processing for large logs parallel --pipe grep "pattern" < huge.log Index frequently searched logs Consider tools like ELK stack for large environments ``` Compliance and Reporting Generating Compliance Reports ```bash #!/bin/bash compliance_report.sh echo "=== Security Compliance Report ===" echo "Generated: $(date)" echo echo "1. Failed Login Attempts (Last 30 days):" grep "Failed password" /var/log/auth.log | \ awk -v date="$(date -d '30 days ago' '+%b %d')" '$1$2 >= date' | wc -l echo "2. Root Access Events:" grep "root" /var/log/auth.log | grep "$(date '+%b %d')" | wc -l echo "3. System Reboots:" grep "reboot\|shutdown" /var/log/syslog | grep "$(date '+%b %d')" | wc -l ``` Documentation Standards - Always document log analysis procedures - Maintain incident response playbooks - Create standardized reporting templates - Establish escalation procedures Industry Best Practices SIEM Integration ```bash Prepare logs for SIEM ingestion Standardize timestamp formats Normalize log structures Implement log forwarding ``` Automation and Orchestration - Implement automated threat detection - Create incident response workflows - Use configuration management tools - Establish monitoring baselines Conclusion Effective log auditing in Linux requires a combination of technical skills, proper tools, and systematic approaches. By mastering the techniques covered in this guide, you'll be able to: - Monitor system security effectively - Troubleshoot issues efficiently - Maintain compliance requirements - Implement automated monitoring solutions - Optimize system performance Next Steps 1. Practice Regularly: Set up a test environment to practice log analysis techniques 2. Automate Monitoring: Implement automated scripts for routine log auditing tasks 3. Stay Updated: Keep current with new logging technologies and security threats 4. Expand Skills: Consider learning advanced tools like ELK stack, Splunk, or other SIEM solutions 5. Document Procedures: Create standard operating procedures for your organization Additional Resources - Linux System Administrator's Guide - Security logging frameworks (NIST, ISO 27001) - Open-source log analysis tools - Professional certification programs Remember that log auditing is an ongoing process that requires continuous attention and refinement. Regular practice and staying current with emerging threats and technologies will help you maintain effective log auditing capabilities in your Linux environments.