Scribd
Upload
41 views

SOC Analyst Basics - Linux Log Files

Uploaded by

Phương Võ
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
41 views

SOC Analyst Basics - Linux Log Files

Uploaded by

Phương Võ
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

@maikroservice

SOC
ANALYST
SERIES

https://academy.maikroservice.com
Practical SOC Analyst 101

Join the waitlist for SOC bootcamp:

https://maikroservice.com/waitlist

https://academy.maikroservice.com
Linux stores log files in a couple
different locations

/var/log

is the most common

https://academy.maikroservice.com
do all /var/log folders
look the same across linux
distributions?

no

example: debian

https://academy.maikroservice.com
example: ubuntu2204

https://academy.maikroservice.com
example: ubuntu2304

https://academy.maikroservice.com
wait a second - they are
different even between the
same operating system?

sometimes - yes e.g. ubuntu


22.04 and 23.04 have similar
but different layouts e.g. 23.04
added apport.log

https://academy.maikroservice.com
ok but... there are so many
files?! How do I know
which one to search
through?

Great question!

We will check out the most


common log files now

https://academy.maikroservice.com
auth.log

This is part of the golden geese


of logs.
au
th
.lo
g

https://academy.maikroservice.com
auth.log
it holds:
login events
user changes (e.g. user added)
group changes
system reboots
executed sudo commands
and more

https://academy.maikroservice.com
auth.log examples

https://academy.maikroservice.com
syslog

the holy grail

https://academy.maikroservice.com
the systemlog or syslog is one
of the most important log files
of the unix operating system
it combines:

https://academy.maikroservice.com
syslog example:

https://academy.maikroservice.com
ok cool but where can we
find failed login attempts?

btmp / wtmp are your friends


here - but they are a little
special

https://academy.maikroservice.com
btmp / wtmp are binary log
files - so you need a special
command to read them.
Dont believe me?

https://academy.maikroservice.com
https://academy.maikroservice.com
AHHHH MY EYES MAKE IT
STOOOOOP

OK - Gotcha - mistakes
were made

but how do I open those?

https://academy.maikroservice.com
use the last and lastb commands

last - reads wtmp

it shows currently logged in users

https://academy.maikroservice.com
use the last and lastb commands

sudo lastb - reads btmp

pffff BOOOORING
its empty.

https://academy.maikroservice.com
oh ya right - umm let’s generate
some failed logins?!
sudo lastb - reads btmp

AHA! so that is where we find


failed logon attempts

https://academy.maikroservice.com
and umm... where can we see
when users last logged in?
use the lastlog commands

https://academy.maikroservice.com
and if a hacker logs into the
root account:

https://academy.maikroservice.com
The last log for today is for
debugging

journalctl

$ journalctl -xe

https://academy.maikroservice.com
if anything on your unix system
goes wrong - check journalctl
first!

$ journalctl -xe

# -x = show metainformation
# -e = jump to the end of the file (the newest
entries)

its a little like syslog but with


helpful information.

https://academy.maikroservice.com
for more content just like this

for your continued


support!

@maikroservice

You might also like