Description: keywords to search for in linux logs for log analysis

Usage: sudo grep -r "search_keyword" /var/log *

Search Keywords

• Successful User Login

  • “Accepted password”, “Accepted publickey”, "session opened”

• Failed User Login

  • “authentication failure”, “failed password”

• User added

  • "adduser" or "useradd"

• User Logoff

  • “session closed”

• User account change or deletion

  • “password changed”, “new user”, “delete user”

• Sudo Actions

  • “sudo: … COMMAND=…”“FAILED su”

• Service Failure

  • “failed” or “failure”

Resources

• Searching Log Files

• Critical Log Review Checklist for Security Incidents