Scribd
Upload
41 views

SOC Analyst Basics - Linux Log Files

Uploaded by

Phương Võ
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
41 views

SOC Analyst Basics - Linux Log Files

Uploaded by

Phương Võ
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

@maikroservice

SOC
ANALYST
SERIES

https://academy.maikroservice.com
Practical SOC Analyst 101

Join the waitlist for SOC bootcamp:

https://maikroservice.com/waitlist

https://academy.maikroservice.com
Linux stores log files in a couple
different locations

/var/log

is the most common

https://academy.maikroservice.com
do all /var/log folders
look the same across linux
distributions?

no

example: debian

https://academy.maikroservice.com
example: ubuntu2204

https://academy.maikroservice.com
example: ubuntu2304

https://academy.maikroservice.com
wait a second - they are
different even between the
same operating system?

sometimes - yes e.g. ubuntu


22.04 and 23.04 have similar
but different layouts e.g. 23.04
added apport.log

https://academy.maikroservice.com
ok but... there are so many
files?! How do I know
which one to search
through?

Great question!

We will check out the most


common log files now

https://academy.maikroservice.com
auth.log

This is part of the golden geese


of logs.
au
th
.lo
g

https://academy.maikroservice.com
auth.log
it holds:
login events
user changes (e.g. user added)
group changes
system reboots
executed sudo commands
and more

https://academy.maikroservice.com
auth.log examples

https://academy.maikroservice.com
syslog

the holy grail

https://academy.maikroservice.com
the systemlog or syslog is one
of the most important log files
of the unix operating system
it combines:

https://academy.maikroservice.com
syslog example:

https://academy.maikroservice.com
ok cool but where can we
find failed login attempts?

btmp / wtmp are your friends


here - but they are a little
special

https://academy.maikroservice.com
btmp / wtmp are binary log
files - so you need a special
command to read them.
Dont believe me?

https://academy.maikroservice.com
https://academy.maikroservice.com
AHHHH MY EYES MAKE IT
STOOOOOP

OK - Gotcha - mistakes
were made

but how do I open those?

https://academy.maikroservice.com
use the last and lastb commands

last - reads wtmp

it shows currently logged in users

https://academy.maikroservice.com
use the last and lastb commands

sudo lastb - reads btmp

pffff BOOOORING
its empty.

https://academy.maikroservice.com
oh ya right - umm let’s generate
some failed logins?!
sudo lastb - reads btmp

AHA! so that is where we find


failed logon attempts

https://academy.maikroservice.com
and umm... where can we see
when users last logged in?
use the lastlog commands

https://academy.maikroservice.com
and if a hacker logs into the
root account:

https://academy.maikroservice.com
The last log for today is for
debugging

journalctl

$ journalctl -xe

https://academy.maikroservice.com
if anything on your unix system
goes wrong - check journalctl
first!

$ journalctl -xe

# -x = show metainformation
# -e = jump to the end of the file (the newest
entries)

its a little like syslog but with


helpful information.

https://academy.maikroservice.com
for more content just like this

for your continued


support!

@maikroservice

You might also like