syslog / messages

LinuxSystem ConfigurationDisk ImageSIEM / Log Aggregator

Location

/var/log/syslog (Debian/Ubuntu) or /var/log/messages (RHEL/CentOS)

Description

General-purpose system log aggregating kernel messages, service start/stop events, application logs, hardware events, and daemon output via rsyslog or systemd-journald.

Forensic Value

Syslog provides a chronological backbone for timeline reconstruction. Kernel messages reveal module loading (rootkit insertion), OOM kills (cryptominer resource exhaustion), and device attachment events. Service start/stop entries correlate with attacker persistence mechanisms being activated. When combined with auth.log timestamps, syslog fills the gaps between authentication and process execution.

Tools Required

grepjournalctllessawk

Collection Commands

cp /var/log/syslog /forensics/output/syslog

tar

tar czf /forensics/output/syslog_all.tar.gz /var/log/syslog* /var/log/messages*

grep

grep -E "kernel|systemd|service" /var/log/syslog > /forensics/output/syslog_filtered.log

journalctl

journalctl --since "2024-01-01" --output json > /forensics/output/journal_full.json

Collection Constraints

•Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
•Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

MITRE ATT&CK Techniques

T1059.004T1082T1543.002T1070.002

References

systemd.timer Manual NetworkManager Keyfile Format sshd_config Manual systemd-resolved Service

Acquisition Methods

UAC (Unix-like Artifacts Collector)

linux — triage

tar Logical Collection

linux — logical

Velociraptor Offline Collector (Linux)

linux — triage