Checking the /var/log files is very important. This can show you a lot of information about what is happening with your Linux system. The below command shows how to get a list of previously installed programs on a Debian based system.
jason@Yog-Sothoth » ~ » $ grep install /var/log/apt/history.log Commandline: apt install nethogs Commandline: apt install iftop Commandline: apt-get install nload Commandline: apt install tcptrack Commandline: apt install iptraf-ng Commandline: apt install vinetto Commandline: apt install adb Commandline: apt install volatility Commandline: apt install vrms Commandline: apt install cowsay-off
The /var/log/syslog file contains information about started and stopped services and cron jobs. Good for keeping track of systemd.
Another way to see the most recent installed packages.
jason@Yog-Sothoth » log » $ grep "status installed" dpkg.log | tail -n 20 2018-06-27 10:08:54 status installed libfltk1.3:amd64 1.3.4-6 2018-06-27 10:08:56 status installed man-db:amd64 2.8.3-2 2018-06-27 10:09:25 status installed shared-mime-info:amd64 1.9-2 2018-06-27 10:09:26 status installed gnome-menus:amd64 3.13.3-11ubuntu1 2018-06-27 10:09:26 status installed liblo7:amd64 0.29-1 2018-06-27 10:09:26 status installed jackd2-firewire:amd64 1.9.12~dfsg-2 2018-06-27 10:09:26 status installed zynaddsubfx:amd64 3.0.3-1 2018-06-27 10:09:27 status installed hicolor-icon-theme:all 0.17-2 2018-06-27 10:09:27 status installed librtmidi4:amd64 3.0.0~ds1-2 2018-06-27 10:09:27 status installed libstk-4.5.0:amd64 4.5.2+dfsg-5build1 2018-06-27 10:09:27 status installed jackd:all 5 2018-06-27 10:09:27 status installed qjackctl:amd64 0.4.5-1ubuntu1 2018-06-27 10:09:27 status installed stk:amd64 4.5.2+dfsg-5build1 2018-06-27 10:09:28 status installed lmms:amd64 1.1.3-7 2018-06-27 10:09:28 status installed meterbridge:amd64 0.9.2-13 2018-06-27 10:09:28 status installed libc-bin:amd64 2.27-3ubuntu1 2018-06-27 10:09:28 status installed menu:amd64 2.1.47ubuntu2.1 2018-06-27 10:10:29 status installed fmtools:amd64 2.0.7build1 2018-06-27 10:10:30 status installed man-db:amd64 2.8.3-2 2018-06-28 10:59:39 status installed cowsay-off:all 3.03+dfsg2-4
Find out at what times the system rebooted.
jason@Yog-Sothoth » log » $ grep "rebooting" auth.log Jun 24 10:23:26 Yog-Sothoth systemd-logind[1118]: System is rebooting. Jun 25 12:46:45 Yog-Sothoth systemd-logind[1153]: System is rebooting. Jun 26 14:54:12 Yog-Sothoth systemd-logind[1105]: System is rebooting. Jun 27 13:01:04 Yog-Sothoth systemd-logind[1145]: System is rebooting. Jun 28 12:34:04 Yog-Sothoth systemd-logind[1187]: System is rebooting.
The wtmp file contains a listing of all logins on the system, including SSH logins.
Read it like this.
jason@Yog-Sothoth » log » $ utmpdump /var/log/wtmp | tail -n 40
That is a very useful file.
This way allows the user to scroll up and down to view logins. Most recent data is at the bottom.
jason@Yog-Sothoth » log » $ utmpdump /var/log/wtmp | less
The last command will also list all logins, the most recent logins are at the top of the output.
jason@Yog-Sothoth » log » $ last | head -n 30 jason :1 :1 Fri Jun 29 06:53 still logged in reboot system boot 4.15.0-24-generi Fri Jun 29 16:50 still running jason :1 :1 Thu Jun 28 09:15 - 12:34 (03:18) reboot system boot 4.15.0-24-generi Thu Jun 28 19:13 - 12:34 (-6:39) jason :1 :1 Wed Jun 27 08:44 - 13:01 (04:16) reboot system boot 4.15.0-24-generi Wed Jun 27 18:34 - 13:01 (-5:33) jason :1 :1 Tue Jun 26 07:47 - 14:54 (07:06) reboot system boot 4.15.0-24-generi Tue Jun 26 17:46 - 14:54 (-2:51) jason :1 :1 Mon Jun 25 06:40 - down (06:06) reboot system boot 4.15.0-24-generi Mon Jun 25 16:39 - 12:46 (-3:52) jason :1 :1 Sun Jun 24 18:48 - 22:04 (03:15) reboot system boot 4.15.0-24-generi Mon Jun 25 04:42 - 22:04 (-6:38) jason :1 :1 Sun Jun 24 09:34 - 10:23 (00:49) reboot system boot 4.15.0-24-generi Sun Jun 24 19:32 - 10:23 (-9:08) jason pts/0 192.168.1.4 Fri Jun 22 11:45 - 11:53 (00:07) jason :1 :1 Fri Jun 22 09:37 - 12:08 (02:31) reboot system boot 4.15.0-24-generi Fri Jun 22 19:35 - 12:08 (-7:27) jason :1 :1 Thu Jun 21 09:45 - 13:55 (04:10) reboot system boot 4.15.0-24-generi Thu Jun 21 19:42 - 13:55 (-5:46) jason :1 :1 Wed Jun 20 07:58 - 12:36 (04:38) reboot system boot 4.15.0-24-generi Wed Jun 20 17:56 - 12:36 (-5:20) jason :1 :1 Tue Jun 19 08:43 - 11:53 (03:10) reboot system boot 4.15.0-24-generi Tue Jun 19 18:40 - 11:53 (-6:46) jason pts/0 192.168.1.4 Mon Jun 18 11:03 - 11:13 (00:10) jason pts/0 192.168.1.4 Mon Jun 18 10:29 - 10:52 (00:23) jason :1 :1 Mon Jun 18 10:27 - down (02:24) reboot system boot 4.15.0-23-generi Mon Jun 18 20:26 - 12:52 (-7:34) jason :1 :1 Mon Jun 18 08:10 - 10:24 (02:14) reboot system boot 4.15.0-23-generi Mon Jun 18 18:08 - 10:25 (-7:43) jason :1 :1 Fri Jun 15 09:15 - down (03:47)
The btmp file contains information on bad login attempts. This file requires superuser access to open. The sudo lastb command allows the system administrator to view this information.
jason@Yog-Sothoth » log » $ sudo lastb 1) All commands run with root privileges are always dangerous. 2) Never run commands on an environment you are not willing to destroy, or able to restore. 3) Do not become root until you know what you are going to do. 4) Be sure of your command and what is going to be affected by it. [sudo] password for jason: btmp begins Fri Jun 1 09:08:14 2018
These files are very useful for keeping track of what is happening on a Linux server. Use them regularly, and the administrator can keep on top of things, and find irregularities that could indicate a malicious user trying to access the server.