Home Blog Cheatsheets Tools About Contact

Feb 20, 2026 • 1 min • Updated Feb 20, 2026

Authentication & System Logs

A concise field note on where authentication, access and system activity live on Linux systems.

dfirlinuxlogsdetection

When investigating Linux incidents, the hardest part is not finding logs — it is knowing which layer recorded what.

Authentication, system activity, kernel events and session history live in different places and follow different retention logic.

Authentication policies

These files define how access is controlled before logs even appear.

  • /etc/security/pwquality.conf — global password policy (minimum length, complexity)
  • /etc/security/access.conf — global access policy (allow/deny from specific IP ranges)
  • /etc/security/time.conf — time-based access control rules

These are configuration sources, not telemetry — but they explain why an authentication event behaved a certain way.

Authentication logs

Primary evidence for logins, failures and session attempts.

  • /var/log/auth.log — authentication logs (Debian/Ubuntu)
  • /var/log/secure — authentication logs (RHEL/Fedora)
  • /var/log/security/lastlog — last successful logon attempts (binary)
  • /var/log/security/faillog — failed login tracking (binary, not enabled on Ubuntu)

Reading tools:

Terminal window
faillog -a

ABOUT

7mergen — threat research, DFIR, and detection engineering. I write concise notes that are easy to reuse under pressure.