syslog / messages

linuxSystem ConfigurationDisk ImageSIEM / Log Aggregator

Location

/var/log/syslog (Debian/Ubuntu) or /var/log/messages (RHEL/CentOS)

Description

General-purpose system log aggregating kernel messages, service start/stop events, application logs, hardware events, and daemon output via rsyslog or systemd-journald.

Forensic Value

Syslog provides a chronological backbone for timeline reconstruction. Kernel messages reveal module loading (rootkit insertion), OOM kills (cryptominer resource exhaustion), and device attachment events. Service start/stop entries correlate with attacker persistence mechanisms being activated. When combined with auth.log timestamps, syslog fills the gaps between authentication and process execution.

Tools Required

grepjournalctllessawk

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical