Linux Log Analysis for Security Teams
Linux log analysis for security teams is the practice of reviewing and correlating Linux system, authentication, and application logs to detect threats, validate alerts, and reconstruct incident timelines. It turns “something feels off” into evidence: what happened, when, by whom, and from where.
Linux log analysis helps security teams detect suspicious activity, validate alerts, and reconstruct incident timelines using Linux system logs, auth logs, and audit telemetry. In practice, strong linux log analysis means you can answer—quickly—who logged in, what ran, what changed, and when.
How Linux log analysis works
Effective Linux log analysis is less about reading files line-by-line and more about a repeatable workflow: identify the right log sources, normalize time, query for high-signal events, then pivot (user → host → process → network).
1) Know the core Linux log sources
Most investigations start with three buckets:
- System logs
- On systemd-based distros, the canonical source is the systemd journal (
journald). -
On traditional syslog setups, messages land under
/var/log/(e.g.,/var/log/syslog,/var/log/messages). -
Authentication and authorization logs
- Common files:
/var/log/auth.log(Debian/Ubuntu) or/var/log/secure(RHEL/CentOS/Amazon Linux). -
Tracks SSH logins, sudo usage, PAM events, and some account changes.
-
Auditing (high-fidelity security events)
- Linux Audit (
auditd) logs: typically/var/log/audit/audit.log. - Records syscalls and security-relevant actions (process exec, file access, privilege changes) when rules are configured.
Application logs (web servers, databases, container runtimes) often provide the missing context when system logs only show a symptom.
2) Collect and centralize (without breaking evidence)
Security teams commonly do both:
- Local triage: quick CLI queries on the host to confirm/deny suspicion.
- Central analysis: forward logs to a SIEM/log platform for correlation across hosts and longer retention.
If you’re in an incident, preserve integrity: - Capture time sync status (NTP/chrony) to trust timestamps. - Export relevant log slices (time bounded) rather than editing files in place. - If possible, collect via read-only methods and maintain chain-of-custody in your IR process.
If your organization is also standardizing endpoint telemetry, see our Windows endpoint security comparison: best antivirus for windows business endpoints 2026.
3) Build a security-first query strategy
Instead of “search everything,” start with high-signal pivots:
- Initial access: SSH logins, failed brute force, new keys, unusual source IPs.
- Privilege escalation: sudo usage, setuid binaries, policy changes.
- Persistence: new services, cron jobs, systemd timers, new users.
- Defense evasion: log deletion attempts, auditd disabled, time changes.
- Execution: suspicious commands, unexpected process trees, interpreter abuse (
bash,python,curl|shpatterns).
Tip: When your detections mention IOCs, make sure your team aligns on what an IOC is and how to operationalize it in queries and alerts: what is an ioc.
4) Correlate events into a timeline
A useful outcome is a timeline that answers: - Which account(s) did it? - From which IP / terminal? - What processes ran (parent/child)? - What changed on disk or in configuration? - Did activity spread to other hosts?
Correlation improves dramatically when you have: - Consistent hostnames and asset tags - Accurate time sync - Centralized logs with retention beyond a few days - Parsing that preserves fields (user, IP, PID, unit, syscall)
Fast local triage commands (CLI)
Below are practical starting points you can run during triage. Adjust time windows and paths for your distro.
# 1) Check time sync (timestamp trust)
timedatectl status
chronyc tracking 2>/dev/null || true
# 2) Systemd journal: last boot, high priority events
journalctl -b --no-pager -p warning..alert
# 3) Journal: authentication-related messages (common on many distros)
journalctl -b --no-pager _SYSTEMD_UNIT=ssh.service
journalctl -b --no-pager | egrep -i "sshd|sudo|pam|authentication failure|Accepted|Failed"
# 4) Debian/Ubuntu auth log (if present)
sudo egrep -i "sshd|sudo|pam|Accepted|Failed|Invalid user" /var/log/auth.log
# 5) RHEL-family secure log (if present)
sudo egrep -i "sshd|sudo|pam|Accepted|Failed|Invalid user" /var/log/secure
# 6) Auditd quick look (if enabled)
sudo tail -n 200 /var/log/audit/audit.log
sudo ausearch -ts today -m USER_LOGIN,USER_AUTH,USER_ACCT,USER_CMD,EXECVE 2>/dev/null
# 7) Persistence checks: systemd units/timers and cron
systemctl list-unit-files --state=enabled
systemctl list-timers --all
sudo ls -la /etc/cron* /var/spool/cron 2>/dev/null || true
Log patterns that should raise eyebrows
Use these as quick filters during hunts:
# SSH brute force / password guessing
Failed password for (invalid user )?\S+ from <IP>
Invalid user \S+ from <IP>
authentication failure;.*rhost=<IP>
# Successful SSH access (confirm legitimacy)
Accepted (password|publickey) for <user> from <IP> port <n> ssh2
# Privilege escalation / sudo
sudo: <user> : TTY=.* ; PWD=.* ; USER=root ; COMMAND=.*
# Account changes (often visible in auth logs)
useradd|usermod|passwd|chage
Tip: Pair “Accepted publickey” with the exact account and source IP, then pivot to what commands ran immediately after (auditd, bash history where appropriate, and process execution logs).
When you’ll encounter Linux log analysis
Linux log analysis shows up in daily SecOps and in high-pressure incident response. Common triggers include:
- Alert validation: EDR/SIEM fires on suspicious process execution, but you need logs to confirm who ran it and how it started (systemd unit, cron, SSH session).
- Suspected credential compromise: Sudden login from a new ASN/geo, repeated failures followed by a success, or logins at unusual hours.
- Web server incidents: 404 bursts, command injection attempts, webshell indicators. You’ll pivot between Nginx/Apache access logs and system/process logs.
- Ransomware or wiper behavior: Mass file modifications, service stoppage, disabling security controls. Logs help scope impact and identify patient zero.
- Insider or misuse investigations: Unapproved administrative actions, data access, or configuration changes.
- Compliance and audit readiness: Proving access controls and administrative actions were monitored and retained.
Where Linux logs commonly live
Paths vary by distro and configuration, but these are frequent:
# System logs (non-systemd or syslog-based)
/var/log/syslog (Debian/Ubuntu)
/var/log/messages (RHEL-family, some configs)
# Auth logs
/var/log/auth.log (Debian/Ubuntu)
/var/log/secure (RHEL/CentOS/Amazon Linux)
# Audit logs
/var/log/audit/audit.log (auditd)
# Web logs
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/apache2/access.log
/var/log/httpd/access_log
Also watch for container and orchestration logs (Docker, containerd, Kubernetes). In modern environments, a “Linux incident” may actually be a container breakout or a compromised workload generating host-level artifacts.
Tooling notes (SIEM, EDR, and practical add-ons)
- SIEM/log platforms: Centralization is what turns “one host” into an investigation across fleets. Preserve important fields (user, IP, PID, systemd unit, syscall) during parsing.
- EDR/XDR: Endpoint telemetry can complement logs (process trees, network connections). Still, Linux logs are often the fastest ground truth when an alert is ambiguous.
- VPN for admin access: If your team administers Linux servers over untrusted networks, a reputable business VPN can reduce exposure during remote access. For example, NordVPN (Check NordVPN pricing →) or Surfshark (Try Proton VPN →) are commonly used options—ensure your choice fits your authentication, logging, and access-control requirements.
- Malware scanning during triage: When policy allows, a lightweight scanner can help confirm suspected payloads on disk. Malwarebytes (Get Malwarebytes →) is one option; treat scanner results as supporting evidence, not a replacement for log-based timelines.
Related terms
A logging standard and ecosystem (e.g., rsyslog, syslog-ng) for routing events locally and to central collectors.
The systemd journal service storing structured logs queryable via journalctl.
Security Information and Event Management platforms that ingest logs, normalize fields, correlate events, and alert.
Kernel audit framework and userspace daemon for high-fidelity event logging (syscalls, execs, file access), depending on rules.
Authentication framework; many login/auth events include “pam_*” entries.
Indicators of Compromise / Attack—log-derived patterns that suggest a breach or technique.
Triage is fast scoping and containment; forensics is deeper evidence preservation and analysis.
How long logs are stored and how they rotate (e.g., logrotate). Critical for investigations that occur after the fact.
Turning raw messages into structured fields (user, IP, PID, unit) for reliable searches and detections.