Logging is one of the critical aspects of security. The system is logging information about errors and security alerts. As a security researcher, you should know what fingerprints and logging information you leave after you accessed the target. This article covers basic information related to what information is gathered by the Linux system while you browse. Also, how hackers can manage and delete footsteps of access on the system by configuring files responsible for logging.

What information is logged

Linux systems come with a decent amount of log capability. Linux logs everything about user actions. Also, kernel events are also logged. In other words, if you have configured logs correctly, you can easily diagnose what actions are performed on the servers.

rsyslog

rsyslog is the default logging service available on most Linux distributions. This allows an administrator to configure logging details of different services and related information. rsyslog, syslog-ng, syslog, etc. are the different names used by different Linux distributions. For example, Kali Linux has rsyslog by default.

You can search the location of rsyslog by using locate command:

locate rsyslog

As a security guy, you should be more interested in the configuration file of rsyslog. You can use any editor command to see the content of a file, I have used nano command here:

nano /etc/rsyslog.conf

If you browse down, you are able to see rules for the logged information. This simply tells what information is logged and what is not.

/var/log

This path corresponding special directory contains all logs including OS, applications, and services.

How to manage Logs for space

You can set up a policy to delete log files periodically or whenever space is less. This can be done by using logrotate utility. Locate logrotate by using locate utility:

locate logrotate

You can edit or manage log rotation by using the below command:

nano /etc/logrotate.conf

How to disable Logging

An attacker may remove tracks by simply disable the Logging of the Linux system.

service rsyslog stop

Although, you can again start it by using the below command:

service rsyslog start