auth.log / secure
Location
/var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS)Description
Authentication log recording all PAM-based authentication events including SSH logins, sudo usage, su escalation, user creation (useradd), password changes, and public key acceptance.
Forensic Value
This is the primary artifact for detecting unauthorized access on Linux. Accepted publickey entries confirm SSH key-based access and log the key fingerprint, identifying which key was used. Repeated "Failed password" entries expose brute-force attacks with source IPs. Sudo command logs record the exact commands run with elevated privileges, creating an execution timeline for privileged actions even when .bash_history is cleared.
Tools Required
Used in Procedures
Related Blockers
Critical Logs Rotated/Overwritten Before Collection
Key log files (Security EVTX, web server access logs, syslog) have been rotated out or overwritten due to aggressive retention settings, high volume, or attacker manipulation. The evidence window for those sources is now closed.
SIEM Not Ingesting Relevant Log Sources
The SIEM does not ingest logs from the affected systems, applications, or network segments. Correlation, alerting, and historical search capabilities are unavailable for the evidence sources most relevant to this incident.
Legal Requesting Preservation Conflicts with Containment
Legal counsel has issued a preservation hold requiring that certain systems, mailboxes, or data stores remain untouched. This directly conflicts with containment actions like reimaging hosts, resetting accounts, or blocking network segments.
Attacker Used Timestomping, Log Clearing, or Other Anti-Forensics
Evidence of deliberate anti-forensic activity has been found: timestamps modified, event logs cleared, prefetch/shimcache wiped, or tools designed to defeat forensic analysis were executed. Standard timeline analysis may be unreliable.