Daemon Log (daemon.log)

LinuxSystem ConfigurationDisk ImageSIEM / Log Aggregator

Location

/var/log/daemon.log (Debian/Ubuntu) or filtered from /var/log/messages (RHEL/CentOS)

Description

Log file capturing messages from system daemons and background services including cron execution, DHCP client events, network daemon messages, and miscellaneous service output not routed to dedicated log files.

Forensic Value

Daemon logs capture cron job execution confirmations with timestamps that verify whether attacker-scheduled tasks actually ran. DHCP client messages record IP address assignments and network changes. Service start/stop messages for custom daemons installed by attackers appear here when they do not have dedicated log files. This log fills gaps between the specialized auth.log and syslog.

Tools Required

grepjournalctllessawk

Collection Commands

cp /var/log/daemon.log /forensics/output/daemon.log

grep

grep -i "cron\|DHCP\|started\|stopped" /var/log/daemon.log > /forensics/output/daemon_filtered.log

journalctl

journalctl --facility=daemon --since "2024-01-01" --output json > /forensics/output/daemon_journal.json

tar

tar czf /forensics/output/daemon_logs.tar.gz /var/log/daemon.log*

Collection Constraints

•Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
•Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

MITRE ATT&CK Techniques

T1053.003T1543.002T1059.004

References

systemd.timer Manual NetworkManager Keyfile Format sshd_config Manual systemd-resolved Service

Acquisition Methods

UAC (Unix-like Artifacts Collector)

linux — triage

tar Logical Collection

linux — logical

Velociraptor Offline Collector (Linux)

linux — triage