Week 9 – Lab 2 – Getting Started with Linux Log Files (Kali Linux)
Objectives of this lab session
- Use the Linux command line to locate, view and monitor log files and critical events.
- Locate, view and interpret log files on Kali Linux.
This lab gives you practical experience working with Linux log files. It is an investigative activity, so you are encouraged to explore further and research beyond the tasks provided.
Further reading:
Requirements
You will need:
- Kali Linux virtual machine: You will need access to the Kali Linux virtual machine.
- You can find one in you CyberLab
- Or You can download you Kali VM from here if you don't have one
Part-1: Investigating Log Files
Kali Linux stores most of its system, service and application logs in:
/var/log
These files help administrators troubleshoot issues, analyse system behaviour and investigate security events.
Important note for Kali Linux
Kali uses the standard Debian logging structure.
If /var/log/syslog appears empty, enable the logging service:
sudo systemctl enable --now rsyslog
1. Become root and explore available log files
sudo su
cd /var/log
ls
2. View log files as a tree
tree /var/log
If tree is not installed:
sudo apt install tree
3. View a log file (example: syslog)
sudo less /var/log/syslog
Press q to exit.
Part-2: Log File Categories
Kali Linux log files generally fall into four categories:
- System Logs
- Event Logs
- Application Logs
- Service Logs
Common log files include:
/var/log/boot.log/var/log/auth.log/var/log/debug/var/log/daemon.log/var/log/kern.log/var/log/syslog
A typical syslog entry contains:
- Timestamp
- Hostname
- Service name
- Log message
4. Using tail
Print the last few lines of syslog:
sudo tail /var/log/syslog
Monitor syslog in real time:
sudo tail -f /var/log/syslog
Check logged-in users:
who
View system reboot history:
last reboot
Part-3: Monitoring Log File Changes
10. Log a custom message
Terminal A:
logger Hello, Your Name!
11. Check syslog
Terminal B:
sudo tail /var/log/syslog
Your message should appear.
12. Question
What does the tail command do?
13. Follow syslog in real time
Terminal B:
sudo tail -f /var/log/syslog
14. Log another message
Terminal A:
logger Hello, its me again!
Question: What does tail -f do?
Close both terminals afterwards.
15. Watch for file attribute changes
Terminal A:
sudo watch -d ls -la /var/log/syslog
16. Trigger log events
Terminal B: run several logger commands.
Observe changes on Terminal A.
Question: What does sudo watch -d ls -la /var/log/syslog do?
Part-4: Priority Events
Syslog events use:
- Facilities (e.g.
auth,user,daemon) - Severity levels (e.g.
emerg,alert,warning,info)
Use:
man logger
to review available options.
17. Log an emergency event
logger -p user.emerg "Oh no!"
Check syslog.
18. Log a warning
logger -p user.warn "Warning: something is not right..."
Check syslog.
19. Log an event with a priority pair of your choice
Record the command you used.
Part-5: APT Investigation
APT (Advanced Package Tool) keeps detailed logs of all software installation, updates and removals carried out on the system. These logs are useful for tracking system changes, analysing compromise, or understanding when new software was introduced.
APT package logs are stored in:
/var/log/apt/
20. Open the history log
nano /var/log/apt/history.log
Tasks:
- Scroll through the file and note how events are grouped.
- Look for
Start-DateandEnd-Datelines. - Count how many separate events or installation sessions appear.
Question: How many installation or removal events are recorded in this file?
21. Investigate one event
Choose any single installation session. Examine the lines that belong to that event.
Tasks:
- Identify the date and time of the event (
Start-Date:). - Identify the user account responsible (shown under
Commandline:). - List at least two packages that were installed or removed.
- Determine whether the action was part of a system update or a manual installation.
Question: What is the date/time of the event? Who triggered it? What packages were involved?
Part-6: Version Log Investigation
Installer logs are stored in:
/var/log/installer/
22. View OS version details
cat /var/log/installer/media-info
Tasks:
- Identify the OS version and release name.
- Check the installation media description (for example, ISO image used).
- Note whether the installation source was a DVD, USB or net installer (if shown).
Question: What is the OS name, version and installation media?
Part-7: Auth Log Investigation
Authentication activity (including sudo) is logged in:
/var/log/auth.log
23. Open auth.log
sudo less /var/log/auth.log
24. Analyse the most recent entry
Tasks:
- Scroll to the bottom (
Shift + G). - Identify the last recorded event.
- Determine the process responsible (e.g.,
sudo,systemd,login,sshd). - Note whether the event was successful or unsuccessful.
- Identify the username involved.
Question: What is the exact text of the last event, and what does it indicate?
Part-8: Kern Log Investigation
Kernel events are stored in:
/var/log/kern.log
25. View kern.log
sudo less /var/log/kern.log
26. Investigate kernel events
Tasks:
- Identify the first entry recorded in the file.
- Note the timestamp and event type (e.g., device detection, driver load).
- Determine which kernel component or module generated the message.
- Check whether the message is an info, warning or error entry.
Question: What is the first entry, and which component generated it?
Best,
Ali