auditd Audit Logs (audit.log)

linuxAuthentication & AccessDisk ImageSIEM / Log Aggregator

Location

/var/log/audit/audit.log (or /var/log/audit/audit.log.*)

Description

Linux Audit daemon logs capturing kernel-level audit events configured via audit rules. Records EXECVE (command execution with full arguments), SYSCALL events, file access (PATH), user authentication (USER_AUTH), and privilege changes.

Forensic Value

auditd provides the most granular Linux visibility available. EXECVE records capture every command executed with full arguments even when shell history is cleared or bypassed. SYSCALL events record file opens, network connections, and privilege changes at the kernel level. The audit trail is tamper-resistant when configured to write to remote syslog. aureport and ausearch enable efficient filtering by event type, user, and timeframe.

Tools Required

aureportausearchgrepSIEM (Splunk, Elastic)

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical