Linux

LogZilla App Store application: Linux

Overview

Linux is an open-source operating system kernel that forms the foundation of many server and desktop distributions. The Linux app handles core Linux system services including SSH authentication, privilege escalation (sudo/su/dzdo), scheduled tasks (cron), and service management (systemd).

App Function

  • Parse sshd, sudo, su, dzdo (Centrify), cron, and systemd log messages
  • Extract user, source IP, command, and service metadata
  • Categorize events by Event Class (auth, system)
  • Map security events to MITRE ATT&CK techniques
  • Provide dashboards for authentication and system monitoring
  • Alert on authentication failures and privilege escalation

Vendor Documentation

Device Configuration

Configure Linux to forward syslog messages to LogZilla. Replace LOGZILLA_IP with the LogZilla server IP address or DNS name.

syslog-ng

Add the following to /etc/syslog-ng/syslog-ng.conf:

text
destination d_logzilla { udp("LOGZILLA_IP" port(514)); };
log { source(s_src); destination(d_logzilla); };

Restart syslog-ng: systemctl restart syslog-ng

rsyslog

Create a configuration file to forward all logs:

bash
cat > /etc/rsyslog.d/50-logzilla.conf << 'EOF'
# Forward all logs to LogZilla
*.* @LOGZILLA_IP:514
EOF
systemctl restart rsyslog

For TCP transport, use @@ instead of @:

text
*.* @@LOGZILLA_IP:514

Verification

Generate a test event and verify it appears in LogZilla:

bash
logger -t sshd "Test message from Linux"

Incoming Log Format

Linux syslog messages follow the standard RFC 3164/5424 format:

text
<priority>timestamp hostname program[pid]: message
  • priority - Facility and severity combined
  • timestamp - Event timestamp
  • hostname - Source host
  • program - Process name (sshd, sudo, su, CRON, systemd)
  • pid - Process ID
  • message - Event-specific content

Parsed Metadata Fields

Tag NameExampleDescription
VendorLinuxDevice vendor
ProductSystemDevice product
Event ClassauthEvent classification (auth, system)
UserjdoeUsername from authentication events
SrcIP192.168.1.100Source IP for SSH connections
Runas UserrootTarget user for sudo/su/dzdo commands
Command/bin/bashCommand executed via sudo or cron
Servicenginx.serviceSystemd service name
ActionstartedSystemd action (started, stopped, failed)
Auth SuccesstrueAuthentication result
MitreIdT1110MITRE ATT&CK technique ID
MITRE TacticCredential AccessMITRE ATT&CK tactic

Log Examples

SSH Failed Password

text
sshd[12345]: Failed password for invalid user admin from 192.168.1.100 port 54321

SSH Successful Login

text
sshd[12345]: Accepted publickey for jdoe from 192.168.1.100 port 54321 ssh2

Sudo Command

text
sudo: jdoe : TTY=pts/0 ; PWD=/home/jdoe ; USER=root ; COMMAND=/bin/bash

Su User Switch

text
su: Successful su for root by jdoe

Cron Job

text
CRON[67890]: (root) CMD (/usr/local/bin/backup.sh)

Systemd Service Started

text
systemd: Started nginx.service.

Systemd Service Failed

text
systemd: Failed to start mysql.service.

dzdo (Centrify) Privilege Escalation

text
adclient[2191]: INFO AUDIT_TRAIL|Centrify Suite|dzdo|1.0|0|dzdo granted|5|user=jdoe(type:ad,[email protected]) pid=32224 status=GRANTED service=dzdo command=/bin/bash runas=root role=ROLE_ADMIN

Dashboards

DashboardDescription
Linux: AuthenticationAuth events, failures, privilege escalation
Linux: SystemCron jobs, systemd services, system events

Triggers

TriggerDescription
Linux: MITRE ATT&CK Threat DetectedAny event with MITRE mapping
Linux: SSH Authentication FailureSSH login failures (T1110)
Linux: Sudo Privilege EscalationSuccessful sudo commands (T1548)
Linux: Su User SwitchSuccessful su commands (T1548)
Linux: Su Authentication FailureFailed su attempts (T1110)
Linux: dzdo Privilege EscalationCentrify dzdo granted (T1548)
Linux: Service FailedSystemd service failures
Linux: Authentication EventAll auth class events
Linux: System EventAll system class events
Linux | LogZilla Documentation