Kernel Log (kern.log)

LinuxSystem ConfigurationDisk ImageSIEM / Log Aggregator

Location

/var/log/kern.log (Debian/Ubuntu) or kernel messages in /var/log/messages (RHEL/CentOS)

Description

Kernel ring buffer messages logged to disk capturing hardware events, kernel module loading/unloading, memory errors, device attachment, and security subsystem messages from SELinux/AppArmor.

Forensic Value

Kernel logs reveal rootkit activity through unexpected module loading events and kernel taint flags. USB device attachment events with serial numbers supplement physical access investigations. Out-of-memory (OOM) kill events indicate cryptominer or resource exhaustion attacks. Segmentation faults may indicate active exploitation attempts. Network interface promiscuous mode entries detect packet sniffing.

Tools Required

grepjournalctl -kdmesgless

Collection Commands

cp /var/log/kern.log /forensics/output/kern.log

dmesg

dmesg -T > /forensics/output/dmesg_timestamped.txt

journalctl

journalctl -k --since "2024-01-01" --output json > /forensics/output/kernel_journal.json

grep

grep -E "module|usb|segfault|oom|promiscuous" /var/log/kern.log > /forensics/output/kern_suspicious.log

Collection Constraints

•Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
•Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

MITRE ATT&CK Techniques

T1547.006T1014T1091T1082

References

systemd.timer Manual NetworkManager Keyfile Format sshd_config Manual systemd-resolved Service

Acquisition Methods

UAC (Unix-like Artifacts Collector)

linux — triage

tar Logical Collection

linux — logical

Velociraptor Offline Collector (Linux)

linux — triage