Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Profile: modules/linux/logs.toml

Source

  • Original path: profiles/modules/linux/logs.toml

Profile (TOML)

# Linux System Logs Module
# Collects Linux system log files for forensic analysis

[module]
name = "Linux System Logs"
description = "Linux system logs (syslog, auth, daemon, kernel, etc.)"
category = "linux"
platform = ["linux"]
priority = "high"

# Syslog
[[patterns]]
  name = "Syslog"
  pattern = "(?:^|[/])syslog(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Auth/Secure Log
[[patterns]]
  name = "Auth Log"
  pattern = "(?:^|[/])(?:auth|secure)(?:\\.log)?(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Kernel Log
[[patterns]]
  name = "Kernel Log"
  pattern = "(?:^|[/])(?:kern|kernel)\\.log(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Daemon Log
[[patterns]]
  name = "Daemon Log"
  pattern = "(?:^|[/])daemon\\.log(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Dmesg
[[patterns]]
  name = "Dmesg Log"
  pattern = "(?:^|[/])dmesg(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Boot Log
[[patterns]]
  name = "Boot Log"
  pattern = "(?:^|[/])boot\\.log(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Cron Log
[[patterns]]
  name = "Cron Log"
  pattern = "(?:^|[/])cron(?:\\.log)?(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Faillog
[[patterns]]
  name = "Faillog"
  pattern = "(?:^|[/])faillog$"
  case-insensitive = true
  type = "regex"

# Lastlog
[[patterns]]
  name = "Lastlog"
  pattern = "(?:^|[/])lastlog$"
  case-insensitive = true
  type = "regex"

# Btmp (failed login attempts)
[[patterns]]
  name = "Btmp Log"
  pattern = "(?:^|[/])btmp(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Wtmp (login records)
[[patterns]]
  name = "Wtmp Log"
  pattern = "(?:^|[/])wtmp(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Utmp (current logins)
[[patterns]]
  name = "Utmp Log"
  pattern = "(?:^|[/])utmp$"
  case-insensitive = true
  type = "regex"

# Messages
[[patterns]]
  name = "Messages Log"
  pattern = "(?:^|[/])messages(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Journal logs (systemd)
[[patterns]]
  name = "Journal Log"
  pattern = "\\.journal$"
  case-insensitive = true
  type = "regex"

# Audit logs
[[patterns]]
  name = "Audit Log"
  pattern = "(?:^|[/])audit\\.log(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Var/log directory
[[patterns]]
  name = "Var Log Directory"
  pattern = "/var/log/"
  case-insensitive = false
  type = "regex"