Basic Linux Log Forensics

Logs and why do we need it?

Logs are entries and records of past events or activities. These records show details about who caused what, how, when and answers many such important questions.

We need logs and logging mechanism in IT for troubleshooting issues, addressing system failures, fixing misconfigurations, auditing and for security operations.

Key log files in Linux

In Linux we can find most of the log files in /var/log/ directory. This path holds all kinds of logs but the most interesting files when it comes to security are:

• /var/log/auth.log which shows all the entries of authentication attempts, sudo and ssh logins. This is used to detect brute force attempts and unauthorized access to system and resources.

• /var/log/syslog shows system wide message and kernel events. This log is crucial to check and investigate general system behavior, running processes and daemons.

• /var/log/wtmp shows all the login sesions and /var/log/btmp shows all the bad or failed logins

• /var/log/dpkg/log and /var/log/apt/history.log lists all the packages installed on the machine and is useful in spotting suspicious installations, downloads and updates.

Reading logs with Linux utilities

A basic linux installation comes with many such commands and utilities that helps in doing log analysis, parsing, monitoring if not at larger scale how complex tools like dedicated log parsers and SIEMs do.

To quickly demonstrate basic forensics I will be doing these:

1. Debian 12 Bookworm virtualization

2. Install rsyslog, open ssh server on the VM

3. Successful and failed logins from terminal and a ssh client

Useful Commands

To check if I have any active connection I will use the who command and I see there is none as I closed all active remote connections to the home lab/VM.

soa tty7 2025-06-10 01:49 (:0)

This means the user logged into this VM in a GUI login session represented by tty7 and (:0) signifies the local display interface.

One of the most basic command is cat, it helps to read content of a file right in the terminal. We can use this command to view text files which are not huge in size. With log rotation and configuration in place, Linux files are readable with cat.

Before we start, it must be established that auth.log file will not be available in fresh install of every Linux distribution but only certain distros come packaged with rsyslog. The distro that I am currently running in my home lab is Debian and we have to install rsyslog using sudo apt install rsyslog -y.

Let us try viewing entries of auth.log file

sudo command will be necessary to view this file, so a quick sudo cat /var/log/auth.log will give us this result:

2025-06-09T12:06:30.733847+05:30 debian sudo: soa : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/cat auth.log

So what this means is on this date and time user soa used sudo to view the auth.log file using the cat command.

Now lets try and ssh into the VM and try to see the entries inside the same log file, and of course we have to install ssh server on the VM using sudo apt install openssh-server -y. Also we need to ensure that ssh service is running. Following are commands to run and confirm if we are all set for remote connection to via ssh to the VM:

• sudo systemctl enable ssh

• sudo systemctl start ssh

• sudo systemctl status ssh

After we get the green flag for ssh service from terminal message we can start logging remotely with ssh <Username>@<IP_Address_Of_Target_Machine> we will see a different entry like this auth log file after cat-ing it:

2025-06-10T13:25:32.854425+05:30 debian sshd[2715]: Accepted password for soa from 192.168.1.34 port 63313 ssh2

This tells us the date and time for the ssh login made from one of my device in my internal network with IP address 192.168.1.34 with source port 63313 using most current SSH protocol version 2 and the sshd[2716] is the ssh daemon running to handle this connection.

We can make use of a command called tail, which lets us see us event as they happen in real time.

These are different ssh logins I made from two of my personal devices to my VM which is being tailed and followed in terminal output. This is useful in monitoring activities around login, logout, cron jobs and other sudo usages.

We will able to monitor failed logins and identify a brute force attempt using tail, as we can track these attempts in real time. Below is a simple result of this command that shows a basic demonstration of failed remote login attempts. If these attempts are in numbers over a long period from same IP, this can definitely raise eyebrows and is a definite signal of an attack.

Reading binary log files

Now there are other files than regular text files(eg: auth.log) that hold log data in them such as wtmp and btmp log files which are binary files but cannot be read using cat command but instead we need to use last or lastb to analyze them for quick audit/forensics.

last and lastb command directly reads wtmp and btmp files respectively from /var/log and needs no path specification during command execution but requires command options. Available options for any executable command can be viewed from man pages as man last.

Who logged in when and from where?

Using last -aiF we can quickly take a look at user sessions and specific details with specific flags/options; in this case -a displays hostname, -i displays IP address and -F displays full login and logout times and dates.

soa pts/2 Tue Jun 10 16:10:11 2025 - Tue Jun 10 16:19:25 2025 (00:09) 192.168.1.38

This shows for how long this ssh session lasted for and gives us a human-readable summary which cat command does not provide.

Similarly, we can use lastb -aiF to look for bad or failed logins whch yields us this result of two failed logins from the VM and another device in local network.

There is another utility we can use to inspect raw records, dig deeper and perform low level forensics. But this has to be installed and does not come with base Linux installation.

sudo apt install util-linux helps us with another utility command called utmpdump which is useful in reading, parsing and automating binary files. This also supports in working with corrupted files and files in non-standard formats.

So we can do utmpdump /var/log/wtmp to look for extra details on auth attempts and trace into finer details of a binary log files.

Here [7] and [8] are LOGIN and LOGOUT entry types respectively, [03251] is Process ID of this remote session, [pts/1] represents the psuedo-terminal or remote session and last two obvious fields are IP and datetime.

What is next?

Linux provides a wide range of utilities for log analysis, parsing, filtering, and service monitoring — along with many community-supported tools that serve various forensic and security purposes. I’ve kept this blog focused on simple, useful commands to help build a strong foundation. In the coming days, I’ll continue exploring deeper concepts and sharing more interesting topics from the Linux world.

Feel free to share your thoughts, point out any mistakes, or drop suggestions in the comments — it would really help me grow as an early-stage blogger. Thanks for reading!