LogsMonitoringAlerts5 min read
Monitor security logs
Analyzing auth.log, syslog, fail2ban, journalctl, logwatch and alerting on suspicious activity.
Important Linux logs
Logs are your first line of defense for detecting intrusions:
/var/log/auth.log→ login attempts (SSH, sudo)/var/log/syslog→ system events/var/log/fail2ban.log→ blocked IPs/var/log/nginx/access.log→ HTTP requests/var/log/nginx/error.log→ web server errors
Analyze auth.log
bash
# View failed login attempts
grep 'Failed password' /var/log/auth.log | tail -20
# Count attempts by IP
grep 'Failed password' /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | head
# View successful logins
grep 'Accepted' /var/log/auth.log | tail -10
# View sudo usage
grep 'sudo' /var/log/auth.log | tail -10Using journalctl
journalctl is the modern tool for querying systemd logs:
bash
# SSH logs
journalctl -u sshd --since "1 hour ago"
# System logs with error priority or higher
journalctl -p err --since today
# Follow logs in real time
journalctl -f
# Logs for a specific service
journalctl -u nginx --since "2026-01-01" --until "2026-01-02"Monitor fail2ban
bash
# General status
sudo fail2ban-client status
# SSH jail status
sudo fail2ban-client status sshd
# Currently banned IPs
sudo fail2ban-client get sshd banned
# View action log
tail -50 /var/log/fail2ban.logInstall Logwatch
Logwatch generates daily summary reports:
bash
sudo apt install -y logwatchConfigure daily email report:
bash
sudo nano /etc/logwatch/conf/logwatch.confterminal
Output = mail
MailTo = your-email@example.com
Detail = Med
Range = yesterdayTest manually:
bash
sudo logwatch --detail Med --range today --output stdoutGoAccess for web logs
Visual analysis of Nginx/Apache logs:
bash
sudo apt install -y goaccess
# Terminal report
goaccess /var/log/nginx/access.log --log-format=COMBINED
# Generate HTML report
goaccess /var/log/nginx/access.log --log-format=COMBINED -o /var/www/html/report.htmlSuspicious activity alerts
Basic alert script:
bash
#!/bin/bash
# /usr/local/bin/check-auth.sh
FAILED=$(grep 'Failed password' /var/log/auth.log | wc -l)
if [ $FAILED -gt 100 ]; then
echo "ALERT: $FAILED failed login attempts detected" | mail -s "Security Alert" your-email@example.com
fiAdd to cron every hour:
bash
0 * * * * /usr/local/bin/check-auth.shRecommendations
- Review auth.log daily or set up automatic alerts
- Use logwatch to receive summaries without manual review
- Configure log rotation to avoid filling the disk
- Centralize logs on an external server for multiple servers
- Investigate any successful login you don't recognize immediately
Was this guide helpful?