Member-only story
7 Critical Linux Logs You Should Review After a Security Incident
--
Share
✍️ Full Blog Content:
Intro:
The first hour after a security incident is crucial. Whether it’s a brute-force attempt, a misconfigured firewall, or worse, your Linux logs hold the story of what really happened. Here are 7 log files that I immediately review when investigating a suspected breach — on both Ubuntu and Red Hat servers.
1. /var/log/auth.log (Ubuntu) / /var/log/secure (Red Hat)
Tracks:
- SSH logins
- Failed sudo attempts
- Successful escalations
✅ Tip: Look for:
grep "Failed password" /var/log/auth.loggrep "Accepted password" /var/log/auth.log2. /var/log/syslog (Ubuntu) / /var/log/messages (Red Hat)
General system events.
✅ Check for:
- Service crashes
- Unauthorized daemon restarts
- Kernel warnings
3. /var/log/faillog
Summarizes all failed login attempts per user.
