Log Analysis

Log files are a valuable source of information for digital forensic investigators. They can provide insights into a wide range of events, including user activity, system changes, and security incidents. In RHEL, log files are stored in the /var/log directory.

The following log files are discussed in depth in this playbook.

/var/log/audit/audit.log: This log contains records of all security-relevant events, such as file access, process creation, and network connections.
/var/log/messages: The messages file is a system log file that contains all global system messages, including the messages that are logged during system startup. The configuration for this log is done in the /etc/rsyslog.conf file.
/var/log/secure: The secure file is a security log file that contains all security-related messages, including authentication failures. It also tracks sudo logins, SSH logins and other errors logged by system security services daemon. The configuration for this log is done in the /etc/rsyslog.conf file.
/var/log/btmp: The btmp file is a system log file in Linux that keeps a record of failed logon attempts.
/var/log/wtmp: The wtmp file keeps track of the successful logons including logoff.
/var/log/cron: Schedule task execution history log.
/var/log/dnf*, /var/log/anaconda: These logs offer a comprehensive timeline of application changes on a system from installation to the present.

Log file analysis for forensics comes with its own set of challenges and pitfalls.

Log files can be manipulated by attackers to cover their tracks. For example, an attacker might delete or modify log files to remove evidence of their activity. It is important for forensic investigators to be aware of these potential pitfalls and to take steps to verify the integrity of log files.

Another important consideration for log file analysis is log rotation. Log rotation is the process of automatically moving old log files to a different location or deleting them altogether. This is done to prevent log files from becoming too large and to ensure that only the most recent log files are kept. However, log rotation can also make it more difficult for forensic investigators to access historical log data.

Log configuration

RHEL9 defaults to using rsyslog for log management. rsyslog configuration is maintained in the /etc/rsyslog.conf file. Please review the rsyslog documentation to learn its capabilities¹ ² ³. Note that the above log files may be altered by changing the log settings in the conf file. Ensure that the configurations has not been tampered with by comparing it with corporate baselines or policies.

https://www.rsyslog.com/doc/v8-stable/configuration/index.html

https://www.redhat.com/sysadmin/log-aggregation-rsyslog

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_configuring-a-remote-logging-solution_security-hardening#the-rsyslog-logging-service_assembly_configuring-a-remote-logging-solution

Digital forensics & Intrusion Response Playbook - *nix OS

Log Analysis

Log configuration