Kernel Log (kern.log)

linuxSystem ConfigurationDisk ImageSIEM / Log Aggregator

Location

/var/log/kern.log (Debian/Ubuntu) or kernel messages in /var/log/messages (RHEL/CentOS)

Description

Kernel ring buffer messages logged to disk capturing hardware events, kernel module loading/unloading, memory errors, device attachment, and security subsystem messages from SELinux/AppArmor.

Forensic Value

Kernel logs reveal rootkit activity through unexpected module loading events and kernel taint flags. USB device attachment events with serial numbers supplement physical access investigations. Out-of-memory (OOM) kill events indicate cryptominer or resource exhaustion attacks. Segmentation faults may indicate active exploitation attempts. Network interface promiscuous mode entries detect packet sniffing.

Tools Required

grepjournalctl -kdmesgless

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical