eastbaycyber

Linux Log Analysis for Security Teams

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

Linux log analysis for security teams is the practice of reviewing and correlating Linux system, authentication, and application logs to detect threats, validate alerts, and reconstruct incident timelines. It turns “something feels off” into evidence: what happened, when, by whom, and from where.

Linux log analysis helps security teams detect suspicious activity, validate alerts, and reconstruct incident timelines using Linux system logs, auth logs, and audit telemetry. In practice, strong linux log analysis means you can answer—quickly—who logged in, what ran, what changed, and when.

How Linux log analysis works

Effective Linux log analysis is less about reading files line-by-line and more about a repeatable workflow: identify the right log sources, normalize time, query for high-signal events, then pivot (user → host → process → network).

1) Know the core Linux log sources

Most investigations start with three buckets:

  • System logs
  • On systemd-based distros, the canonical source is the systemd journal (journald).
  • On traditional syslog setups, messages land under /var/log/ (e.g., /var/log/syslog, /var/log/messages).

  • Authentication and authorization logs

  • Common files: /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS/Amazon Linux).
  • Tracks SSH logins, sudo usage, PAM events, and some account changes.

  • Auditing (high-fidelity security events)

  • Linux Audit (auditd) logs: typically /var/log/audit/audit.log.
  • Records syscalls and security-relevant actions (process exec, file access, privilege changes) when rules are configured.

Application logs (web servers, databases, container runtimes) often provide the missing context when system logs only show a symptom.

2) Collect and centralize (without breaking evidence)

Security teams commonly do both:

  • Local triage: quick CLI queries on the host to confirm/deny suspicion.
  • Central analysis: forward logs to a SIEM/log platform for correlation across hosts and longer retention.

If you’re in an incident, preserve integrity: - Capture time sync status (NTP/chrony) to trust timestamps. - Export relevant log slices (time bounded) rather than editing files in place. - If possible, collect via read-only methods and maintain chain-of-custody in your IR process.

If your organization is also standardizing endpoint telemetry, see our Windows endpoint security comparison: best antivirus for windows business endpoints 2026.

3) Build a security-first query strategy

Instead of “search everything,” start with high-signal pivots:

  • Initial access: SSH logins, failed brute force, new keys, unusual source IPs.
  • Privilege escalation: sudo usage, setuid binaries, policy changes.
  • Persistence: new services, cron jobs, systemd timers, new users.
  • Defense evasion: log deletion attempts, auditd disabled, time changes.
  • Execution: suspicious commands, unexpected process trees, interpreter abuse (bash, python, curl|sh patterns).

Tip: When your detections mention IOCs, make sure your team aligns on what an IOC is and how to operationalize it in queries and alerts: what is an ioc.

4) Correlate events into a timeline

A useful outcome is a timeline that answers: - Which account(s) did it? - From which IP / terminal? - What processes ran (parent/child)? - What changed on disk or in configuration? - Did activity spread to other hosts?

Correlation improves dramatically when you have: - Consistent hostnames and asset tags - Accurate time sync - Centralized logs with retention beyond a few days - Parsing that preserves fields (user, IP, PID, unit, syscall)

Fast local triage commands (CLI)

Below are practical starting points you can run during triage. Adjust time windows and paths for your distro.

# 1) Check time sync (timestamp trust)
timedatectl status
chronyc tracking 2>/dev/null || true

# 2) Systemd journal: last boot, high priority events
journalctl -b --no-pager -p warning..alert

# 3) Journal: authentication-related messages (common on many distros)
journalctl -b --no-pager _SYSTEMD_UNIT=ssh.service
journalctl -b --no-pager | egrep -i "sshd|sudo|pam|authentication failure|Accepted|Failed"

# 4) Debian/Ubuntu auth log (if present)
sudo egrep -i "sshd|sudo|pam|Accepted|Failed|Invalid user" /var/log/auth.log

# 5) RHEL-family secure log (if present)
sudo egrep -i "sshd|sudo|pam|Accepted|Failed|Invalid user" /var/log/secure

# 6) Auditd quick look (if enabled)
sudo tail -n 200 /var/log/audit/audit.log
sudo ausearch -ts today -m USER_LOGIN,USER_AUTH,USER_ACCT,USER_CMD,EXECVE 2>/dev/null

# 7) Persistence checks: systemd units/timers and cron
systemctl list-unit-files --state=enabled
systemctl list-timers --all
sudo ls -la /etc/cron* /var/spool/cron 2>/dev/null || true

Log patterns that should raise eyebrows

Use these as quick filters during hunts:

# SSH brute force / password guessing
Failed password for (invalid user )?\S+ from <IP>
Invalid user \S+ from <IP>
authentication failure;.*rhost=<IP>

# Successful SSH access (confirm legitimacy)
Accepted (password|publickey) for <user> from <IP> port <n> ssh2

# Privilege escalation / sudo
sudo: <user> : TTY=.* ; PWD=.* ; USER=root ; COMMAND=.*

# Account changes (often visible in auth logs)
useradd|usermod|passwd|chage

Tip: Pair “Accepted publickey” with the exact account and source IP, then pivot to what commands ran immediately after (auditd, bash history where appropriate, and process execution logs).

When you’ll encounter Linux log analysis

Linux log analysis shows up in daily SecOps and in high-pressure incident response. Common triggers include:

  • Alert validation: EDR/SIEM fires on suspicious process execution, but you need logs to confirm who ran it and how it started (systemd unit, cron, SSH session).
  • Suspected credential compromise: Sudden login from a new ASN/geo, repeated failures followed by a success, or logins at unusual hours.
  • Web server incidents: 404 bursts, command injection attempts, webshell indicators. You’ll pivot between Nginx/Apache access logs and system/process logs.
  • Ransomware or wiper behavior: Mass file modifications, service stoppage, disabling security controls. Logs help scope impact and identify patient zero.
  • Insider or misuse investigations: Unapproved administrative actions, data access, or configuration changes.
  • Compliance and audit readiness: Proving access controls and administrative actions were monitored and retained.

Where Linux logs commonly live

Paths vary by distro and configuration, but these are frequent:

# System logs (non-systemd or syslog-based)
 /var/log/syslog          (Debian/Ubuntu)
 /var/log/messages        (RHEL-family, some configs)

# Auth logs
 /var/log/auth.log        (Debian/Ubuntu)
 /var/log/secure          (RHEL/CentOS/Amazon Linux)

# Audit logs
 /var/log/audit/audit.log (auditd)

# Web logs
 /var/log/nginx/access.log
 /var/log/nginx/error.log
 /var/log/apache2/access.log
 /var/log/httpd/access_log

Also watch for container and orchestration logs (Docker, containerd, Kubernetes). In modern environments, a “Linux incident” may actually be a container breakout or a compromised workload generating host-level artifacts.

Tooling notes (SIEM, EDR, and practical add-ons)

  • SIEM/log platforms: Centralization is what turns “one host” into an investigation across fleets. Preserve important fields (user, IP, PID, systemd unit, syscall) during parsing.
  • EDR/XDR: Endpoint telemetry can complement logs (process trees, network connections). Still, Linux logs are often the fastest ground truth when an alert is ambiguous.
  • VPN for admin access: If your team administers Linux servers over untrusted networks, a reputable business VPN can reduce exposure during remote access. For example, NordVPN (Check NordVPN pricing →) or Surfshark (Try Proton VPN →) are commonly used options—ensure your choice fits your authentication, logging, and access-control requirements.
  • Malware scanning during triage: When policy allows, a lightweight scanner can help confirm suspected payloads on disk. Malwarebytes (Get Malwarebytes →) is one option; treat scanner results as supporting evidence, not a replacement for log-based timelines.

Related terms

Syslog

A logging standard and ecosystem (e.g., rsyslog, syslog-ng) for routing events locally and to central collectors.

systemd-journald (journald)

The systemd journal service storing structured logs queryable via journalctl.

SIEM

Security Information and Event Management platforms that ingest logs, normalize fields, correlate events, and alert.

Auditd (Linux Audit)

Kernel audit framework and userspace daemon for high-fidelity event logging (syscalls, execs, file access), depending on rules.

PAM (Pluggable Authentication Modules)

Authentication framework; many login/auth events include “pam_*” entries.

IOC / IOA

Indicators of Compromise / Attack—log-derived patterns that suggest a breach or technique.

Triage vs. forensics

Triage is fast scoping and containment; forensics is deeper evidence preservation and analysis.

Log retention &amp; rotation

How long logs are stored and how they rotate (e.g., logrotate). Critical for investigations that occur after the fact.

Normalization &amp; parsing

Turning raw messages into structured fields (user, IP, PID, unit) for reliable searches and detections.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.