Automatically generated based on tag:

Linux Audit framework (audit logs) Page The Linux Audit system is an non-default auditing and logging framework that can be configured to log multiple type of operations, such as authentication successes or failures, process executions, file accesses, user commands executed in a TTY, etc.

The Linux Audit framework implements kernel-mode hooks to monitor user-mode processes and generate audit telemetry. The auditd daemon is the main user-mode component of the Linux Audit framework, that receives audit messages sent by the kernel and other components (such as pam).

The Linux Audit system operates on rules, that define what records will be captured in the audit logs. If no rules are defined, which is the case by default, only distribution specific records and telemetry from other components may be logged to audit log file by the auditd daemon.

Depending on the rule configured, multiple events can be generated for the same operation. An event can be split in multiple records, with each record of the same event sharing the same timestamp and same unique identifier.

Each record is associated with a given type: USER_AUTH, USER_LOGIN, EXECVE, SYSCALL, OPENAT, PROCTITLE, USER_CMD, TTY, SOCKADDR, etc.
auditd daemon configuration:

Audit rules:

Audit logs:
Syslog Page Syslog, also known as "legacy-syslog" or "BSD-syslog", is a logging framework defined in RFC3164 then RFC5424 (IETF-syslog). syslog-ng and rsyslog extended the initial syslog protocol, and all three versions continue to be developed as separate projects, growing separately and in parallel.

syslog logs events / messages from various system components, notably on:
- Successful authentication and failed authentication attempts.
- sudo usage.
- Kernel and hardware component activities.
- cron jobs and mail activity (sendmail).
- ...

syslog relies on "Facilities" to classify and separate log messages from their originating subsystem / components (kernel, cron, user, mail, ...). The facilities are associated with actions in syslog configuration files, to log the messages to a file on disk, send them over the network, or display them to end-users.

The syslog log file locations are fully dependant on the syslog configuration and differ between Linux distribution and syslog implementation.
Configuration files and directories:
- /etc/syslog.conf
- /etc/rsyslog.conf
- /etc/rsyslog.d/*.conf
- /etc/syslog-ng.conf
- /etc/syslog-ng/*

Main syslog log files:
- auth / authpriv: (Debian / Ubuntu) /var/log/auth.log | (RedHat / Centos) /var/log/secure
- All except auth and authpriv: /var/log/syslog
- All except auth, authpriv, and mail: (RedHat / Centos) /var/log/messages
- cron: /var/log/cron.log
- mail: /var/log/mail.log
- Linux kernel: /var/log/kern.log
- User: /var/log/user.log

View on GitHub