This log file contains failed user logins. This can be very important when tracking attempts to crack into the system. Usually, a normal user might occasionally have one or two failed login attempts. Numerous failed login attempts, or even frequent failed login attempts that occur at diverse times, can be an indicator of someone trying to compromise access to the system. It is also worth noting the times of failed login attempts. If an employee normally works from 8:00 a.m. to 5:00 p.m., and there are failed login attempts at 11:00 p.m., that may be a warning sign.

This log file is used for messages from the operating system’s kernel. This log is less interesting forensically. It is more likely to show systemwide problems. However, it is entirely possible for someone to mistake system issues for some intrusion or malware. If you have odd behavior on a target system and find related messages in the kern.log, it may allow you to rule out malware.

This is the printer log. It can give you a record of any items that have been printed from this machine. That can be useful in many cases. To begin with, corporate espionage cases often involve the criminal printing out sensitive documents. Having a record of exactly what was printed when and which user printed it can be very useful.

This is the mail server log, and it can be very useful in any computer crime investigation. Email can be useful in many different criminal investigations. It is obviously very useful in cyberstalking cases, as well as many civil litigation cases.

This log records activities related to the MySQL database server. These are of most interest in crimes involving database attacks. For example, SQL injection attacks might leave a record in the database log.

If this machine is running the Apache web server, then this log shows related activity. This can be very useful in tracking attempts to hack into the web server. You can examine the log to see attempts at buffer overflow attacks, denial of service attacks, and a variety of other attacks.

If this machine is running the Lighttpd web server, then this log shows related activity. This can be very useful in tracking attempts to hack into the web server.

This log records application crashes. Sometimes these can reveal attempts to compromise the system or the presence of malware. Of course, it can also simply reveal a buggy application. That is the real challenge with computer forensics: determining what is evidence of an actual crime.

Any other applications running on the Linux computer that store logs can be useful in your forensic examination. For example, if you are using an intrusion detection system (IDS) such as Snort, it keeps logs of all suspicious traffic. That can be very useful in your investigation.

With Linux, you can use a variety of shell commands to view a log. You can also simply use your favorite text editor within your preferred graphical user interface. Using the Linux dmesg command is the preferred way to view logs from the shell. It works like this:

dmesg | lpr

Or, you can use any of these methods as well:

# tail -f /var/log/lpr.log
# less /var/log/ lpr.log
# more -f /var/log/ lpr.log

As you can see, there are a number of methods for viewing logs in Linux.