Logging
Overview
Logs are one of the highest-signal sources for troubleshooting, detection, and post-incident analysis. Security logging is only useful if it is:
- collected consistently
- retained long enough
- reviewed (or monitored) with intent
What to Check First (Operational)
Authentication:
/var/log/auth.log(Debian/Ubuntu)/var/log/secure(RHEL/CentOS) System/service events:journalctl(systemd journal)/var/log/syslog(Debian/Ubuntu)/var/log/messages(RHEL-like)
Common Log Types
Kernel logs: kernel messages and driver events. System logs: service start/stop, reboots, cron, general events. Authentication logs: SSH/sudo/login attempts and failures. Application logs: web server/db/app-specific logs (paths vary by service/distro).
Useful Practices
Enable log rotation and retention (e.g., logrotate, journald retention settings).
Centralize logs for servers (so attackers can’t trivially erase evidence on a single host).
Add rate-limited firewall/service logging when debugging (avoid log floods).