Back to course

Essential Logging in Linux (Syslog)

Cyber Security Mastery: From Zero to Hero

Monitoring Linux Activity

In Linux, the standard logging mechanism is often handled by Syslog (or modern variants like rsyslog or journald). Logs are typically stored as plain text files, making them easy to read and manipulate.

Key Log File Locations

Most logs are found in the /var/log directory:

  • /var/log/auth.log (or /var/log/secure on Red Hat systems): Critical for monitoring user authentication attempts, root access, and sudo usage.
  • /var/log/kern.log: Kernel messages, device information.
  • /var/log/syslog (or /var/log/messages): General system activity.
  • /var/log/apache2/access.log: Web server traffic logs.

Analyzing Logs with CLI

We use our Bash skills to quickly analyze these files:

bash

View the end of a log file in real-time (useful for monitoring an active attack)

tail -f /var/log/auth.log

Search logs for a specific user

grep "failed password" /var/log/auth.log