This page docs the common log file in linux system. To see how to use command line to analyze them, see Bo Cyber Logbook - Log Analysis
By default, Linux is a “silent” operator. It logs system health and access, but it doesn’t log user activity.
Out of the box, Three Major Linux Logs:
auth.log). (or `/var/log/secure)syslog).access.log)./var/log/httpd: Contains HTTP Request / Response and error logs. Linux is the server for most website so this is important./var/log/cron: Events related to cron jobs are stored in this location./var/log/kern.log: Kernel messages and errors, useful for more advanced investigations/var/log/dpkg.log (or /var/log/apt): Package manager logs on Debian-based systems/var/log/dnf.log (or /var/log/yum.log): Package manager logs on RHEL-based systems~/.bash_history: command history historyLike mentioned, user activty dese not get logged out of the box. In that case, we need a special tool called auditd (similar to sysmon in Windows) This is the standard tool for tracking Runtime Events. It monitors “System Calls” (when a program asks the kernel to do something).
When user types whoami in a shell, the shell will triger exec function in linux:
whoami -> shell do exec("/usr/bin/whoami") -> kernel
The auditd tools track this system call and log it.
However, this can result in a massive amount of data, creating a lot of noise in SIEM. Therefore, we need to selectively log data that useful to us. We write Audit Rules to watch only for high-risk behavior:
/etc/shadow, /etc/passwd).nmap, netcat, chmod, useradd)./bin/sh).We can view the generated logs in real time in /var/log/audit/audit.log, but it is easier to use the ausearch command, as it formats the output for better readability and supports filtering options.
auditdlog endpoint activity, Snot focus on network log.Last Modified: 2026-01-03