Linux Logs


Created: 12.10.2020

/var/log 🐧

/etc/rsyslog.conf - see the log owners, what specific logs are logging and where the additional configurations are stored.

cd rsyslog.d && less 50-default.conf - to see additional configurations: what specific logs are logging, how they are called and where to find them.

sudo less syslog - most of the system logs.

auth.log - authorization messages

kern.log - kernel messages

To configure what is being logged, how and when, go to /etc/audit. apt-cache search auditd (if it’s not installed). nano audit.rules files to open. Config example:

  1. -w /etc/shadow to keep track of the users added/deleted/modified. w - watch file:
    1. -p - watch for permission;
    2. wa - look for writes;
    3. -k <name> - give the name of this log entries.
  2. a always,exit - look for actions:
    1. generate alerts always;
    2. look for specific syscall -S clock_settime;
    3. -k <name - give the name of this log entries, for example, timechange.

To start auditing, run the daemon: service auditd start. The results are stored in /etc/audit.log.

Sysmon for Linux

eBPF -> sysinternalsEBPF (based on libbpf). eBPF allows programs to run in a sandbox within OS. Microsoft has customised it and sysinternalsEBPF was created to monitor security events on Linux. https://github.com/Sysinternals/SysmonForLinux, eForensics Magazine, Linux Forensics and Security, Enhance Visibility And detection On Linux With Sysmon, by Sergio Figueiredo.

References

https://xakep.ru/2021/09/16/linux-audit/