Linux system logs are one of the richest and most reliable sources of evidence in Linux forensics. Almost every service, user action, authentication attempt, and system event is logged somewhere under the /var/log/ directory. These logs help investigators reconstruct timelines, identify intrusions, detect malicious behavior, and analyze system activity in detail.
This chapter explains the structure of the /var/log/ directory, the purpose of key log files, and the forensic value each provides.
Importance of /var/log in Linux Forensics
The /var/log/ directory contains:
-
Authentication logs
-
System activity logs
-
Cron job logs
-
Web server logs
-
Boot logs
-
Kernel logs
-
Service-specific logs
Forensic investigations often begin with /var/log/ because these logs reveal who did what, when, and how.
Key Logs in /var/log and Their Forensic Value
1. auth.log (or secure)
Location:
/var/log/auth.log (Debian/Ubuntu)
/var/log/secure (RHEL/CentOS/Fedora)
This log tracks authentication-related events.
Contains:
-
Login attempts
-
Successful logins
-
Failed logins
-
SSH activity
-
sudo usage
-
privilege escalations
Forensic value:
-
Identify brute-force attacks
-
Verify unauthorized access
-
Log sudo misuse
-
Trace attacker movements via SSH
-
Confirm privilege elevation
2. syslog
Location:
/var/log/syslog (Debian/Ubuntu)
A general-purpose system log that tracks a wide range of system events.
Contains:
-
Program events
-
Service starts/stops
-
Kernel messages
-
Network events
-
Cron messages
Forensic value:
-
Detect suspicious services
-
Track malware activity
-
Reconstruct overall system health
-
Identify crashes or misconfigurations
3. messages
Location:
/var/log/messages (RHEL/CentOS/Fedora)
Similar to syslog but used on Red Hat–based systems.
Contains:
-
Kernel events
-
Hardware issues
-
Service events
Forensic value:
-
Identify kernel-level anomalies
-
Detect hardware-based compromise indicators
-
Analyze system behavior patterns
4. dmesg
Location:
/var/log/dmesg
Contains kernel ring buffer logs.
Tracks:
-
Driver initialization
-
Boot process
-
Hardware errors
-
Module loading
Forensic value:
-
Detect kernel rootkits
-
Identify USB device events
-
Analyze suspicious drivers
-
View startup anomalies
5. boot.log
Location:
/var/log/boot.log
Records the system boot process.
Contains:
-
Services started at boot
-
Services that failed
-
Boot-time errors
Forensic value:
-
Detect persistence mechanisms
-
Check altered or malicious startup services
-
Identify abnormal boot behavior
6. cron Logs
Location:
/var/log/cron or logged inside syslog/messages depending on distro
Tracks scheduled tasks.
Contains:
-
cron job executions
-
user cron edits
-
system-level cron events
Forensic value:
-
Detect malicious cron jobs used for persistence
-
Identify automated data exfiltration
-
Track scheduled malware tasks
7. wtmp, btmp, utmp
Binary logs storing user login data.
Locations:
-
wtmp→/var/log/wtmp -
btmp→/var/log/btmp -
utmp→/var/run/utmp
Contents:
-
wtmp: Complete login/logout history
-
btmp: Failed login attempts
-
utmp: Current logged-in users
Tools to read these:
last
lastb
who
Forensic value:
-
Identify login patterns
-
Detect brute-force attacks
-
Track attacker session times
-
Verify anomalous logins
8. lastlog
Location:
/var/log/lastlog
Binary file containing each user’s last login time.
View with:
lastlog
Forensic value:
-
Detect accounts never used or used unexpectedly
-
Spot dormant accounts activated by attackers
9. Apache/Nginx Web Server Logs
Location:
/var/log/apache2/
/var/log/nginx/
Contains:
-
Access logs
-
Error logs
-
HTTP request details
Forensic value:
-
Identify web attacks (SQLi, LFI, brute force)
-
Detect malware uploads via web forms
-
Track suspicious IP addresses
10. mail Logs
Location:
/var/log/mail.log
/var/log/maillog
Contains email server activity.
Forensic value:
-
Identify phishing or spam activity
-
Detect compromised mail accounts
11. Package Manager Logs
Tracks installed, updated, or removed packages.
Ubuntu/Debian:
/var/log/apt/history.log
/var/log/dpkg.log
RHEL/CentOS:
/var/log/yum.log or dnf.log
Forensic value:
-
Detect unauthorized software installations
-
Track malicious package installations
-
Reconstruct system modifications
12. Secure Shell Logs (SSH)
Mostly contained inside:
-
/var/log/auth.log -
/var/log/secure
Contains:
-
SSH login attempts
-
Port-forwarding activity
-
Key-based authentication events
Forensic value:
-
Detect backdoor SSH keys
-
Investigate stolen credentials
-
Trace attacker lateral movement
Log Rotation: /var/log/ and .gz Files
Linux rotates logs automatically to preserve disk space.
Examples:
-
syslog.1 -
syslog.2.gz -
auth.log.1 -
auth.log.3.gz
Older logs are compressed but still accessible.
Forensic value:
-
Extended timeline analysis
-
Older intrusions detection
-
Long-term historical patterns
Techniques for Analyzing Logs
1. Filter with grep
Example:
grep "Failed password" /var/log/auth.log
2. Review timestamps
Correlate events across:
-
auth.log
-
syslog
-
cron
-
web logs
3. Identify anomalies
Look for:
-
Unknown users
-
Unexpected cron jobs
-
Strange services starting
-
Repeated failed logins
4. Cross-reference with bash history
User-level activity often aligns with log timestamps.
5. Use log analysis tools
Tools include:
-
Logstash/ELK
-
Splunk
-
Graylog
-
Syslog-ng
-
GoAccess (for web logs)
Summary
Linux system logs stored under /var/log/ are essential for forensic investigations. They record authentication attempts, system activity, service behavior, web server traffic, cron job execution, boot sequences, and package installations. By examining logs like auth.log, syslog, dmesg, wtmp, cron, and web server logs, investigators can uncover intrusions, reconstruct timelines, and identify malicious behavior with high accuracy