Automatically generated based on tag:
Title | Type | Summary | Location |
---|---|---|---|
Linux Audit framework (audit logs) | Page | The Linux Audit system is an non-default auditing and logging framework that can be configured to log multiple type of operations, such as authentication successes or failures, process executions, file accesses, user commands executed in a TTY, etc. The Linux Audit framework implements kernel-mode hooks to monitor user-mode processes and generate audit telemetry. The auditd daemon is the main user-mode component of the Linux Audit framework, that receives audit messages sent by the kernel and other components (such as pam). The Linux Audit system operates on rules, that define what records will be captured in the audit logs. If no rules are defined, which is the case by default, only distribution specific records and telemetry from other components may be logged to audit log file by the auditd daemon. Depending on the rule configured, multiple events can be generated for the same operation. An event can be split in multiple records, with each record of the same event sharing the same timestamp and same unique identifier. Each record is associated with a given type: USER_AUTH, USER_LOGIN, EXECVE, SYSCALL, OPENAT, PROCTITLE, USER_CMD, TTY, SOCKADDR, etc. |
auditd daemon configuration: /etc/audit/auditd.conf Audit rules: /etc/audit/audit.rules /etc/audit/rules.d/ Audit logs: /var/log/audit.log* /var/log/audit/audit.log.*.gz |
Syslog | Page | Syslog, also known as "legacy-syslog" or "BSD-syslog", is a logging framework defined in RFC3164 then RFC5424 (IETF-syslog). syslog-ng and rsyslog extended the initial syslog protocol, and all three versions continue to be developed as separate projects, growing separately and in parallel. syslog logs events / messages from various system components, notably on: - Successful authentication and failed authentication attempts. - sudo usage. - Kernel and hardware component activities. - cron jobs and mail activity (sendmail). - ... syslog relies on "Facilities" to classify and separate log messages from their originating subsystem / components (kernel, cron, user, mail, ...). The facilities are associated with actions in syslog configuration files, to log the messages to a file on disk, send them over the network, or display them to end-users. The syslog log file locations are fully dependant on the syslog configuration and differ between Linux distribution and syslog implementation. |
Configuration files and directories: - /etc/syslog.conf - /etc/rsyslog.conf - /etc/rsyslog.d/*.conf - /etc/syslog-ng.conf - /etc/syslog-ng/* Main syslog log files: - auth / authpriv: (Debian / Ubuntu) /var/log/auth.log | (RedHat / Centos) /var/log/secure - All except auth and authpriv: /var/log/syslog - All except auth, authpriv, and mail: (RedHat / Centos) /var/log/messages - cron: /var/log/cron.log - mail: /var/log/mail.log - Linux kernel: /var/log/kern.log - User: /var/log/user.log |
utmp, wtmp and btmp | Page | The utmp, wtmp and btmp files track successful and failed logins on the system. They are are notably maintained by the login(1), init(1), sshd(8), and some versions of the getty(8) programs. The utmp entry format is specified in the "utmp.h" header. This format is used by the utmp, wtmp, and btmp logs. The username and the remote hosts hostname or IP address are notably recorded for remote logins. tmp login records are not stored in clear-text and must be parsed with adequate utilities, such as utmpdump or Dissect. |
Linux: /var/run/utmp /var/log/wtmp /var/log/btmp Solaris: (deprecated) /var/adm/utmp /var/adm/utmpx (deprecated) /var/adm/wtmp /var/adm/wtmpx FreeBSD 9.0: /var/run/utx.active (utmp equivalent) /var/log/utx.log (wtmp equivalent) |
View on GitHub