Find us on social media

Client area
LogsMonitoringAlerts5 min read

Monitor security logs

Analyzing auth.log, syslog, fail2ban, journalctl, logwatch and alerting on suspicious activity.

Important Linux logs

Logs are your first line of defense for detecting intrusions:

  • /var/log/auth.log → login attempts (SSH, sudo)
  • /var/log/syslog → system events
  • /var/log/fail2ban.log → blocked IPs
  • /var/log/nginx/access.log → HTTP requests
  • /var/log/nginx/error.log → web server errors

Analyze auth.log

bash
# View failed login attempts
grep 'Failed password' /var/log/auth.log | tail -20

# Count attempts by IP
grep 'Failed password' /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | head

# View successful logins
grep 'Accepted' /var/log/auth.log | tail -10

# View sudo usage
grep 'sudo' /var/log/auth.log | tail -10

Using journalctl

journalctl is the modern tool for querying systemd logs:

bash
# SSH logs
journalctl -u sshd --since "1 hour ago"

# System logs with error priority or higher
journalctl -p err --since today

# Follow logs in real time
journalctl -f

# Logs for a specific service
journalctl -u nginx --since "2026-01-01" --until "2026-01-02"

Monitor fail2ban

bash
# General status
sudo fail2ban-client status

# SSH jail status
sudo fail2ban-client status sshd

# Currently banned IPs
sudo fail2ban-client get sshd banned

# View action log
tail -50 /var/log/fail2ban.log

Install Logwatch

Logwatch generates daily summary reports:

bash
sudo apt install -y logwatch

Configure daily email report:

bash
sudo nano /etc/logwatch/conf/logwatch.conf
terminal
Output = mail
MailTo = your-email@example.com
Detail = Med
Range = yesterday

Test manually:

bash
sudo logwatch --detail Med --range today --output stdout

GoAccess for web logs

Visual analysis of Nginx/Apache logs:

bash
sudo apt install -y goaccess

# Terminal report
goaccess /var/log/nginx/access.log --log-format=COMBINED

# Generate HTML report
goaccess /var/log/nginx/access.log --log-format=COMBINED -o /var/www/html/report.html

Suspicious activity alerts

Basic alert script:

bash
#!/bin/bash
# /usr/local/bin/check-auth.sh
FAILED=$(grep 'Failed password' /var/log/auth.log | wc -l)
if [ $FAILED -gt 100 ]; then
  echo "ALERT: $FAILED failed login attempts detected" | mail -s "Security Alert" your-email@example.com
fi

Add to cron every hour:

bash
0 * * * * /usr/local/bin/check-auth.sh

Recommendations

  • Review auth.log daily or set up automatic alerts
  • Use logwatch to receive summaries without manual review
  • Configure log rotation to avoid filling the disk
  • Centralize logs on an external server for multiple servers
  • Investigate any successful login you don't recognize immediately
Was this guide helpful?
← Back to Security