Sitemap
Open in app

Sign in

Medium Logo
Write

Sign in

nextgenthreat

NextGenThreat delivers cutting-edge insights on cybersecurity, Linux, and automation. Stay ahead with expert guides, best practices, and the latest in tech security.

Member-only story

7 Critical Linux Logs You Should Review After a Security Incident

--

✍️ Full Blog Content:

Intro:

The first hour after a security incident is crucial. Whether it’s a brute-force attempt, a misconfigured firewall, or worse, your Linux logs hold the story of what really happened.
Here are 7 log files that I immediately review when investigating a suspected breach — on both Ubuntu and Red Hat servers.

1. /var/log/auth.log (Ubuntu) / /var/log/secure (Red Hat)

Tracks:

  • SSH logins
  • Failed sudo attempts
  • Successful escalations

Tip: Look for:

grep "Failed password" /var/log/auth.log
grep "Accepted password" /var/log/auth.log

2. /var/log/syslog (Ubuntu) / /var/log/messages (Red Hat)

General system events.

Check for:

  • Service crashes
  • Unauthorized daemon restarts
  • Kernel warnings

3. /var/log/faillog

Summarizes all failed login attempts per user.

--

--

nextgenthreat
nextgenthreat

Published in nextgenthreat

1 follower
Last published Apr 29, 2025

NextGenThreat delivers cutting-edge insights on cybersecurity, Linux, and automation. Stay ahead with expert guides, best practices, and the latest in tech security.

Faruk Ahmed
Faruk Ahmed

Written by Faruk Ahmed

117 followers
64 following

With 10+ years as an InfoSec Analyst, I excel in Symantec DLP, CrowdStrike, QRadar, Qualys, FireEye, Red Hat Linux, WebLogic, Python, and Bash. I am Passionate.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech