Log Analysis & Forensics

Investigate real attack evidence. Hunt through 25,000+ lines of logs to find the breach.

INCIDENT ALERT

A security team has extracted logs from a compromised Linux server. Your mission: analyze 25,567 lines of system logs to identify the attack, determine the source, and reconstruct the timeline of the breach.

Understanding Linux Logs

Every Linux system keeps detailed records of everything that happens. These logs are your primary evidence source in any security investigation. Knowing where to look and what to look for separates forensic analysts from button clickers.

Log Location	Contains	Security Value
`/var/log/auth.log`	Authentication events	Login attempts, sudo usage, SSH activity
`/var/log/syslog`	General system messages	Service status, kernel messages, errors
`/var/log/secure`	Security-related events	PAM, sshd, authentication failures
`/var/log/kern.log`	Kernel messages	Hardware issues, driver problems, crashes
`/var/log/apache2/`	Web server logs	Web attacks, scanning, exploitation attempts

Log Format Anatomy

Understanding syslog format is essential for effective parsing:

Jun 11 09:45:45 combo sshd(pam_unix)[6472]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=unknown.sagonet.net user=root

Timestamp

Jun 11 09:45:45 - When the event occurred. Critical for timeline reconstruction.

Hostname

combo - Which system generated the log. Important in multi-server environments.

Service & PID

sshd(pam_unix)[6472] - The service and process ID. Tells you what generated the event.

Message

The actual event details. authentication failure and rhost=unknown.sagonet.net are your key evidence.

Essential Log Analysis Commands

analyst@kali:~$ grep -c "authentication failure" Linux.log
847
# 847 failed authentication attempts - definitely suspicious!

analyst@kali:~$ grep "authentication failure" Linux.log | awk '{print $14}' | sort | uniq -c | sort -rn | head
   532 rhost=unknown.sagonet.net
   189 rhost=itsc.iasi.astral.ro
    98 rhost=202.108.92.14
# Source IPs identified - attacker found!

analyst@kali:~$ grep "unknown.sagonet.net" Linux.log | head -5 | tail -1
Jun 11 09:45:55 combo sshd: authentication failure ... user=root
# Brute force attack against root account!

MISSION: Investigate the Breach

INTELLIGENCE BRIEFING

Linux.log has been extracted from server "combo". Reports indicate suspicious SSH activity. Your task: identify the attacker IP, count the attack attempts, and determine if the attack succeeded.

25,567

Total Log Lines

???

Auth Failures

???

Top Attacker

Use the forensic terminal to analyze the logs:

forensics-lab

Welcome to Forensics Lab - Log Analysis ======================================== Available file: Linux.log (25,567 lines) INVESTIGATION OBJECTIVES: 1. Count total authentication failures 2. Identify the attacker's hostname/IP 3. Determine what account was targeted 4. Check if any login succeeded Start your investigation. Try: grep "failure" Linux.log | wc -l grep -c "authentication failure" Linux.log

forensics$

INVESTIGATION COMPLETE!

You've identified the attack:

Attacker: unknown.sagonet.net
Target: root account via SSH
Method: Brute force password attack
Status: Attack in progress (no successful login recorded)

Forensic Techniques

Timeline Analysis

Reconstruct attack sequence by sorting events chronologically. Look for patterns in timestamps.

Frequency Analysis

Use uniq -c | sort -rn to find the most common events, IPs, or error types.

Correlation

Cross-reference events across multiple log files to build a complete picture of the incident.

IOC Extraction

Extract Indicators of Compromise (IPs, domains, hashes) for threat intelligence sharing.

Ready to Test Your Skills?

Complete the quiz to prove your log forensics abilities.

Take the Quiz → Back to Script House

🚩 Completing CLH-010 to CLH-012 earns: CLI Engineer