The default logging for Linux systems is syslog. Syslog was developed in the 1980s by Eric Allman who developed the sendmail protocol. Allman also developed syslog as a mechanism to log issues related to sendmail operations. By default syslog stores log messages in log files. Common Linux log file locations are:
/var/log/messages
/var/log/auth.log
/var/log/secure
/var/log/<XYZ Application log>
A form of syslog called rsyslog (r for remote) allows the sending of syslog messages to an external logging system.
Syslog Fields
The standard syslog message has five key fields.
<34>1 2019-06-05T22:14:15.003Z server1 sshd - - pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2
PRI
Time/Date
Source Host
Source Process
Message
To determine the syslog PRI, syslog combines a concept called "facility" and "severity' in a mathematical formula. Facility is a number 0-23, and Severity is a number 0-7 (0=Emergency,
1=Alert, 2=Critical, 3=Error, 4=Warning, 5=Notice, 6=Informational, 7=Debug).
Facility = PRI / 8 rounded down to whole number
rsyslog.cof
auth,authriv.* /var/log/auth.log
authpriv.=warning @<syslog server IP address>
Message filed issues where data is not strucred in xml or json format??? there is no unique logiid per evnet type
ref diagram
auditd
Items auditd can log:
File Access
System calls
Program execution
File changes
Security events
Network access
audit.rules file
Mitre Attack audit.rules file
log only what you intentd to look at
comamnd line argument logging
References
Comments