Collect system logs and upload them. Based on TriageSystemLogs from forensicartifacts.com
name: Linux.Collection.SysLogs
author: alternate
description: |
Collect system logs and upload them.
Based on TriageSystemLogs from forensicartifacts.com
reference:
- https://github.com/ForensicArtifacts/artifacts/blob/main/data/triage.yaml
precondition: SELECT OS FROM info() WHERE OS = 'linux'
parameters:
- name: DebianPackagesLogFiles
default: |
["/var/log/dpkg.log*","/var/log/apt/history.log*","/var/log/apt/term.log"]
- name: LinuxAuditLogs
default: /var/log/audit/*
- name: LinuxAuthLogs
default: |
["/var/log/auth.log*","/var/log/secure.log*"]
- name: LinuxCronLogs
default: /var/log/cron.log*
- name: LinuxDaemonLogFiles
default: /var/log/daemon.log*
- name: LinuxKernelLogFiles
default: /var/log/kern.log*
- name: LinuxLatlogFiles
default: /var/log/lastlog
- name: LinuxMessagesLogFiles
default: /var/log/messages*
- name: LinuxSudoReplayLogs
default: /var/log/sudo-io/**
- name: LinuxSysLogFiles
default: /var/log/syslog.log*
- name: LinuxSystemdJournalLogs
default: |
["/var/log/journal/*/*.journal","/var/log/journal/*/*.journal~"]
- name: LinuxUtmpFiles
default: |
["/var/log/btmp","/var/log/wtmp","/var/run/utmp"]
- name: LinuxWtmp
default: /var/log/wtmp
- name: SambaLogFiles
default: /var/log/samba/*.log
- name: UFWLogFile
default: /var/log/ufw.log
- name: UnixUtmpFile
default: |
["/var/log/btmp","/var/log/wtmp","/var/run/utmp"]
sources:
- name: uploadDebianPackagesLogFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=DebianPackagesLogFiles))
- name: uploadLinuxAuditLogs
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=LinuxAuditLogs)
- name: uploadLinuxAuthLogs
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxAuthLogs))
- name: uploadLinuxCronLogs
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=LinuxCronLogs)
- name: uploadLinuxDaemonLogFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=LinuxDaemonLogFiles)
- name: uploadLinuxKernelLogFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=LinuxKernelLogFiles)
- name: uploadLinuxLatlogFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxLatlogFiles)
- name: uploadLinuxMessagesLogFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=LinuxMessagesLogFiles)
- name: uploadLinuxSudoReplayLogs
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=LinuxSudoReplayLogs)
- name: uploadLinuxSysLogFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=LinuxSysLogFiles)
- name: uploadLinuxSystemdJournalLogs
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxSystemdJournalLogs))
- name: uploadLinuxUtmpFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxUtmpFiles))
- name: uploadLinuxWtmp
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxWtmp)
- name: uploadSambaLogFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=SambaLogFiles)
- name: uploadUFWLogFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=UFWLogFile)
- name: uploadUnixUtmpFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=UnixUtmpFile))