← Back to references

comasomedotcom-forensics.md

Download Raw
Log Source File/Log Sample Command Purpose/What You'll See
Nginx (Access) /var/log/nginx/access.log tail -f /var/log/nginx/access.log Live/new web access requests
less /var/log/nginx/access.log Browse/search whole log
awk '{print $1}' /var/log/nginx/access.log \| sort \| uniq -c \| sort -nr \| head -20 Top IPs by request count
grep "404" /var/log/nginx/access.log List 404 errors
Nginx (Error) /var/log/nginx/error.log tail -f /var/log/nginx/error.log See live Nginx errors
less /var/log/nginx/error.log Browse/search error log
fail2ban /var/log/fail2ban.log tail -f /var/log/fail2ban.log See bans/unbans in real-time
less /var/log/fail2ban.log Search/crawl entire fail2ban history
fail2ban-client sudo fail2ban-client status See all jails and summary info
sudo fail2ban-client status sshd See status and bans for SSH jail
SSH (Auth) /var/log/auth.log tail -f /var/log/auth.log Watch all authentication events live
grep "Failed password" /var/log/auth.log Failed SSH logins
grep "Accepted publickey" /var/log/auth.log SSH key-based logins
UFW Firewall /var/log/ufw.log tail -f /var/log/ufw.log See UFW firewall activity live
grep "BLOCK" /var/log/ufw.log Blocked packets
Systemd/Journald journalctl (aggregates most logs) sudo journalctl -u nginx Nginx logs (including service restarts)
sudo journalctl -u gunicorn-sechome Flask/Gunicorn service logs
sudo journalctl -u fail2ban fail2ban service logs
sudo journalctl -xe Recent system events/errors
Mail /var/log/mail.log or /var/log/maillog tail -f /var/log/mail.log Outgoing/incoming mail messages and errors
Flask/Gunicorn service/stdout (journal, systemd) sudo journalctl -u gunicorn-sechome Gunicorn service output/errors
(if logging manually) tail -f /path/to/your/flask.log Flask app logs if file logging is enabled

Tip:

  • Use less for full log browsing, tail -n N to see the last N lines, and grep for pattern search. Pipe (|) as needed for more complex findings.
  • Replace gunicorn-sechome with your actual systemd service name if different.
  • Most commands work instantly in your Kitty/terminal, and you can combine them for more granular forensics (e.g., grep "POST" /var/log/nginx/access.log | less).