The Hack FAQ

31.0 Unix Logging

This section contains info regarding logging for Unix.

31.1 Where are the common log files in Unix?

Log files for Unix vary from flavor to flavor, but there are a few guidelines as to where these logs are kept.

System log files and accounting files are in /var/adm, /var/log, or sometimes /usr/adm. Common log files include 'messages', 'syslog', and on some systems 'sulog'. Checking '/etc/defaults' and '/etc/syslog.conf' may reveal more. Also 'wtmp', 'utmp', and 'lastlog' will contain information regarding logins.

The most important one will probably be syslog. Most utilities, including security add-on programs can write to syslog, so it makes a handy location for dumping info. But bear in mind that there are a lot of processes that might log to separate log files. Here are some potential files to look for:

Cron log file
Logs inbound and outbound mail activity
Log file for printing

There are more, but this should give you an idea.

31.2 How do I edit/change the log files for Unix?

Most of these files are text files and can be easily edited, assuming you have the permission to do so. But some of these files require you to write special tools to edit them, mainly utmp, wtmp, and possibly lastlog.

Top | Next: Hacker Resources | Previous: Unix Remote Attacks | Table of Contents