This chapter covers Linux syslog and journal analysis, a critical skill for Security+ SY0-701 Domain 4.0 (Security Operations) under Objective 4.9: "Given a scenario, perform forensic analysis." You will learn how to collect, query, and analyze syslog and systemd journal data to detect security incidents, trace attacker activity, and support incident response. Mastering these tools is essential for any security professional working in Linux environments, which dominate cloud and server infrastructure.
Jump to a section
Imagine a ship's captain who must maintain a detailed logbook of every voyage: coordinates, weather, crew changes, and any unusual events. This logbook is the syslog — structured, text-based, and easily readable by anyone trained to interpret it. However, when a storm hits or a collision occurs, the logbook might be damaged or entries become frantic and unreliable. That's where the black box (flight data recorder) comes in — a hardened, tamper-resistant device that continuously records every sensor reading, control input, and communication in a binary format. In Linux, syslog (rsyslog/syslog-ng) is the logbook: it collects logs from various services and writes them to plaintext files with timestamps and priorities. The journal (systemd-journald) is the black box: it captures structured, binary logs with metadata, supports indexing for fast queries, and can optionally be stored persistently. Just as investigators use the black box to reconstruct the precise sequence of events after a crash, security analysts use journalctl to query systemd journals for forensic evidence after a breach. The logbook (syslog) is simpler and more portable, but the black box (journal) provides richer, more reliable data that is harder to tamper with. Both are essential: syslog for forwarding to central log servers, journal for local high-fidelity recording.
What Are Syslog and Journald?
Syslog is a standard protocol (RFC 5424) for message logging on Unix-like systems. It separates log generation (by processes) from log storage (by a daemon like rsyslog or syslog-ng). Syslog messages have a facility (e.g., auth, cron, daemon, kern) and a severity level (0-7, with 0=emergency, 7=debug). The syslog daemon reads messages from /dev/log, filters them based on rules in /etc/rsyslog.conf or /etc/syslog-ng/syslog-ng.conf, and writes them to files (typically in /var/log/).
Journald is part of systemd, the init system used by most modern Linux distributions. It collects logs from the kernel, systemd services, and applications via structured binary logs stored in /var/log/journal/ (persistent) or /run/log/journal/ (volatile). Journald captures not only the message text but also metadata like PID, UID, GID, SELinux context, kernel subsystem, and more. It supports indexing, compression, and integrity checking (via forward-secure sealing).
How They Work Mechanically
Syslog Flow: 1. An application (e.g., sshd) generates a log message using syslog() or a library like libc. 2. The message is sent to the syslog daemon (rsyslogd) via a Unix socket (/dev/log) or UDP/TCP port 514. 3. rsyslogd checks its configuration rules (e.g., "if facility=mail and severity=info, write to /var/log/maillog"). 4. The daemon writes the message to the appropriate file, optionally adding a timestamp and hostname.
Journald Flow: 1. An application logs via the systemd journal API (sd-journal), or syslog messages are forwarded to journald via a socket. 2. journald stores the message in a binary journal file with metadata fields (e.g., _PID, _UID, _COMM, SYSLOG_FACILITY). 3. Logs can be queried using journalctl, which reads the journal files and outputs filtered results. 4. Journald can optionally forward logs to traditional syslog daemons for centralization.
Key Components, Variants, and Standards
Syslog Protocols: RFC 3164 (BSD syslog) and RFC 5424 (structured syslog). RFC 5424 adds structured data elements (SD-ELEMENTS) like event IDs and application-specific fields.
Facilities: auth (4), authpriv (10), cron (9), daemon (3), kern (0), local0-local7 (16-23), mail (2), syslog (5), user (1), uucp (5).
Severities (0-7): emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), debug (7).
Rsyslog: The most common syslog daemon on Linux. Features: TCP/UDP reception, TLS encryption, database output (MySQL/PostgreSQL), filtering by property (e.g., msg, hostname).
Syslog-ng: Alternative with similar features, often preferred for complex filtering.
Journald: Part of systemd. Configuration in /etc/systemd/journald.conf. Key settings: SystemMaxUse, MaxRetentionSec, ForwardToSyslog, Compress, Seal.
Log Rotation: Managed by logrotate (for syslog files) or automatically by journald (based on size/age).
How Attackers Exploit Syslog/Journald and How Defenders Use Them
Attackers often clear or manipulate logs to cover tracks. Common techniques:
Deleting /var/log/auth.log or /var/log/secure.
Using logger to inject false log entries (e.g., fake successful logins).
Modifying system time before logging to create confusion.
Disabling rsyslog or journald services.
Overwriting journal files (requires root).
Defenders use syslog and journald for:
- Forensic Analysis: Querying journal logs for specific timeframes, users, or commands. Example: journalctl _UID=0 --since "2024-01-01 00:00:00" --until "2024-01-02 00:00:00" shows all root actions.
- Centralized Logging: Forwarding syslog to a SIEM (e.g., Splunk, ELK) via TCP/514 or TLS/6514.
- Integrity Verification: Journald's forward-secure sealing allows detecting if logs were modified after creation.
- Alerting: Using rsyslog rules to trigger email alerts on specific patterns (e.g., multiple failed logins).
Real Command/Tool Examples
Syslog configuration snippet (/etc/rsyslog.conf):
# Log all kernel messages to /var/log/kern.log
kern.* /var/log/kern.log
# Log authentication messages to /var/log/auth.log
auth,authpriv.* /var/log/auth.log
# Send all messages to remote log server via TCP
*.* @@logserver.example.com:514Journalctl query examples:
# Show all logs for the ssh service
journalctl -u ssh.service
# Show logs from last boot
journalctl -b
# Show logs with priority 3 (err) or higher
journalctl -p err
# Show logs for a specific executable
journalctl /usr/sbin/sshd
# Follow new logs in real time (like tail -f)
journalctl -fChecking journal integrity:
# Verify journal integrity (requires --verify)
journalctl --verifyUsing logger to test syslog:
logger -p authpriv.info "Test message from Courseiva"Viewing syslog files:
# Common log files
/var/log/messages (general)
/var/log/secure (authentication)
/var/log/maillog (mail server)
/var/log/cron (cron jobs)
/var/log/boot.log (boot messages)Identify the Log Source
Determine whether to query syslog or journald. On systems using systemd, journald is the primary source. Check with `systemctl status systemd-journald`. If using rsyslog, check for /var/log/syslog or /var/log/messages. For exam scenarios, the question often specifies 'journalctl' or 'rsyslog' – use the correct tool. For forensic analysis, start with journalctl because it contains metadata and timestamps with nanosecond precision.
Filter by Time and Priority
Use journalctl's `--since` and `--until` to narrow down the incident window. Example: `journalctl --since "2024-03-15 10:00:00" --until "2024-03-15 11:00:00"`. Filter by priority with `-p err` to see only errors. For syslog, use `grep` with date patterns. Time filtering reduces noise and focuses on the attack timeline.
Identify Suspicious Accounts or Processes
Look for unusual UIDs (e.g., UID 0 for root) or commands. Use `journalctl _UID=0` to see all root actions. Check for service units with `-u`. For syslog, search auth.log for failed/successful logins: `grep "Failed password" /var/log/auth.log`. Identify brute-force attempts or unauthorized access.
Correlate with Other Logs
Cross-reference timestamps from different log sources. For example, a successful SSH login at 10:05 followed by a sudo command at 10:06 suggests compromise. Use `journalctl -u ssh.service` and `journalctl -u sudo.service` together. For syslog, check /var/log/secure and /var/log/sudo.log. Correlation establishes the attack chain.
Preserve and Export Evidence
Export logs for analysis or legal hold. For journald: `journalctl -o export > export.journal` or `journalctl -o json > logs.json`. For syslog: copy files with `cp /var/log/auth.log /evidence/`. Use `--output=json` for structured data. Always preserve timestamps and hashes (sha256sum) to maintain chain of custody.
Scenario 1: SSH Brute-Force Detection
A SOC analyst notices a spike in failed SSH logins on a Linux server. Using journalctl: journalctl -u ssh.service -p info --since "1 hour ago" | grep "Failed password". They see hundreds of entries from IP 10.0.0.5. The correct response: block the IP via firewall (iptables -A INPUT -s 10.0.0.5 -j DROP) and check for successful logins from that IP: journalctl -u ssh.service | grep "Accepted.*10.0.0.5". Common mistake: only checking auth.log and missing journald's richer metadata (e.g., SSH protocol version, key fingerprints).
Scenario 2: Privilege Escalation via sudo
After a breach, an investigator uses journalctl to find all sudo commands: journalctl -u sudo.service --since "2024-03-10". They see a user 'tempadmin' ran sudo -i and then sudo visudo. The investigator checks if 'tempadmin' was added to sudoers: grep tempadmin /etc/sudoers. They also verify the user's creation time: journalctl -u useradd.service. The correct response: disable the account and review all commands executed with sudo. Common mistake: assuming sudo logs are only in /var/log/secure; on systemd systems, journald captures more detail including the working directory.
Scenario 3: Malware Persistence via Cron
A Linux server exhibits unusual outbound connections. The analyst checks cron logs: journalctl -u cron.service. They find a root cron job running /tmp/.malware.sh every minute. The analyst also checks the syslog file /var/log/cron for redundancy. Correct response: remove the cron job, delete the malware, and check for other persistence mechanisms (systemd services, .bashrc). Common mistake: only looking at syslog and missing journald's metadata (e.g., the exact command line arguments).
What SY0-701 Tests Objective 4.9 requires you to perform forensic analysis using logs. Specifically, you must know how to:
Use journalctl to query systemd journals (filtering by time, unit, priority, UID).
Locate and interpret syslog files (/var/log/auth.log, /var/log/secure, /var/log/messages).
Understand log severity levels (0-7) and facilities.
Distinguish between syslog (text-based, /var/log/) and journald (binary, journalctl).
Identify common attack indicators in logs (failed logins, sudo usage, cron jobs, service restarts).
Common Wrong Answers
1. "Use tail -f /var/log/messages to view real-time logs" – While true, the exam often expects journalctl -f for systemd systems. Candidates choose the familiar syslog command because they don't consider the OS version.
2. "Syslog files are stored in /var/log/journal/" – Wrong; journald uses /var/log/journal/. Syslog files are in /var/log/ directly. Candidates confuse the two.
3. "Journalctl cannot filter by UID" – It can, using _UID=. Candidates may think journald only filters by service unit.
4. "Logs are always reliable" – Attackers can delete or modify logs. Candidates forget that logs must be integrity-protected (e.g., remote logging, journald sealing).
Key Terms - Facility: auth, authpriv, cron, daemon, kern, mail, syslog, user, local0-local7. - Severity: emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), debug (7). - journalctl flags: -u, -p, --since, --until, -b, -f, -o (output format). - Rsyslog configuration: /etc/rsyslog.conf, /etc/rsyslog.d/. - Log rotation: logrotate configuration in /etc/logrotate.conf and /etc/logrotate.d/.
Trick Questions
- "Which file contains failed SSH login attempts?" Answer: /var/log/auth.log (or /var/log/secure on RHEL/CentOS). The trick: the exam may ask for 'secure' on Red Hat-based systems.
- "Which command shows logs from the last boot?" Answer: journalctl -b. The trick: -b stands for boot, not 'begin'.
- "What is the default log format for journald?" Answer: Binary (not text). Candidates may think it's text because journalctl outputs text.
Decision Rule On scenario questions, if the system uses systemd (most modern Linux), use journalctl. If the question mentions 'syslog server' or 'centralized logging', think rsyslog/syslog-ng and TCP/UDP port 514. For forensic analysis, always start with the most detailed source (journald) and then cross-reference with syslog.
Syslog severity levels: 0=emerg, 1=alert, 2=crit, 3=err, 4=warning, 5=notice, 6=info, 7=debug.
Common syslog facilities: auth (4), authpriv (10), cron (9), daemon (3), kern (0), mail (2), user (1).
Journalctl -u <unit> filters logs by systemd service unit (e.g., ssh.service).
Journalctl -p <priority> filters by minimum severity (e.g., -p err shows err and higher).
Journalctl --since/--until accepts formats like '2024-01-01 00:00:00' or 'yesterday'.
Persistent journal storage requires /var/log/journal/ directory creation.
Syslog remote logging: UDP/514 (unencrypted), TCP/514, TLS/6514.
Log integrity: journald --verify checks for corruption; forward-secure sealing detects tampering.
Common log files: /var/log/auth.log (Debian), /var/log/secure (RHEL), /var/log/messages (generic).
Attackers may clear logs using '> /var/log/auth.log' or stop rsyslog/journald services.
These come up on the exam all the time. Here's how to tell them apart.
Syslog (rsyslog/syslog-ng)
Text-based log files in /var/log/
Uses facilities and severities (RFC 5424)
Forwarding to remote servers via UDP/TCP/ TLS
Log rotation via logrotate
Can be read with standard tools (cat, grep, tail)
Journald (systemd-journald)
Binary journal files in /var/log/journal/
Structured metadata (UID, PID, etc.)
Local only; forwarding requires syslog gateway
Automatic rotation based on size/age
Requires journalctl to query; not human-readable directly
Mistake
Syslog and journald are interchangeable and store the same data.
Correct
Syslog stores plaintext logs in files; journald stores binary logs with structured metadata. Journald can forward to syslog, but the reverse is not true without additional configuration. Journald captures more fields (PID, UID, SELinux context) than standard syslog.
Mistake
Journald logs are always persistent.
Correct
By default, journald stores logs in volatile memory (/run/log/journal/) unless /var/log/journal/ exists. Persistence requires creating the directory: `mkdir -p /var/log/journal` and restarting journald. Without this, logs disappear on reboot.
Mistake
Syslog uses UDP port 514 by default, which is secure.
Correct
UDP syslog is unencrypted and can be spoofed. For security, use TCP with TLS (port 6514) or stunnel. Rsyslog supports TLS with certificate-based authentication.
Mistake
Journalctl can only be used by root.
Correct
Non-root users can view their own user logs (journalctl --user) and system logs if granted via ACLs or polkit. However, viewing all system logs typically requires root or membership in the systemd-journal group.
Mistake
Log files are tamper-proof.
Correct
Both syslog files and journal files can be modified or deleted by root. Journald offers forward-secure sealing to detect tampering, but it's not enabled by default. Remote logging to a secure SIEM provides better integrity.
Use `journalctl -b`. The `-b` flag stands for 'boot'. You can also specify a boot offset: `journalctl -b -1` for the previous boot. This is useful for comparing logs across restarts, especially after a crash or suspicious shutdown.
On Debian/Ubuntu systems, authentication logs go to /var/log/auth.log. On RHEL/CentOS/Fedora, they go to /var/log/secure. Both contain login attempts, sudo usage, and user changes. The exam may test your knowledge of distribution-specific log paths.
Yes, by configuring journald to forward to syslog (ForwardToSyslog=yes in journald.conf) and then using rsyslog to send logs remotely. Alternatively, use systemd-journal-remote to receive logs from multiple hosts. For exam purposes, remember that journald is primarily local.
Run `journalctl --list-boots`. If it shows multiple boots, logs are persistent. Also check if /var/log/journal/ exists. If only /run/log/journal/ exists, storage is volatile and logs are lost on reboot.
Log rotation is managed by logrotate, typically configured in /etc/logrotate.conf and /etc/logrotate.d/. Default settings rotate weekly, keep 4 weeks of logs, and compress old files. You can customize based on size (e.g., size 100M) or time.
Use `journalctl --verify` to check for corruption. For tamper detection, enable forward-secure sealing in /etc/systemd/journald.conf (Seal=yes). This adds cryptographic signatures that allow verification of log integrity after the fact.
Facilities local0 through local7 are reserved for custom use by applications or administrators. They are often used by third-party software (e.g., Apache, Nginx) to log to specific files. For example, local0.* could be directed to /var/log/custom.log.
You've just covered Linux Syslog and Journal Analysis — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?