Investigate failed SSH attempts and missing scheduled-task output
by reviewing common system logs under
/var/log
. Use targeted filtering and simple counting to quantify activity and
validate what happened.
The web server team reports two issues: repeated SSH login failures and
cron jobs that appear to run but do not produce expected output.
Your task is to review logs in
/var/log
to confirm what happened, isolate relevant entries, and quantify activity.
This is a fast triage workflow: verify the signal, collect evidence, and decide whether you are dealing with brute-force attempts, a misconfigured job, or a logging gap.
/var/log
and understanding what each log is for.
less
.
grep
.
tail -f
.
wc -l
to produce actionable numbers.
less /var/log/syslog
# OR (common on some distros)
less /var/log/messagesStart broad. General logs can confirm high-level events like service starts, session creation, and system state changes. This is also where you may spot related context (network flaps, daemon restarts, time sync issues).
Jul 19 13:45:33 logmon01 systemd[1]: Started Session 22 of user devstudent.
Jul 19 13:45:35 logmon01 sshd[1145]: Failed password for invalid user root from 192.168.1.5 port 58233 ssh2grep Failed /var/log/auth.log
# OR
cat /var/log/auth.log | grep Failed
Authentication logs are the source of truth for SSH failures.
Filtering on
Failed
is a quick way to confirm brute-force attempts, mis-typed credentials,
or invalid-user probes.
Jul 19 13:45:35 logmon01 sshd[1145]: Failed password for invalid user root from 192.168.1.5 port 58233 ssh2
Jul 19 13:46:02 logmon01 sshd[1148]: Failed password for devstudent from 10.0.2.15 port 49622 ssh2ls /var/log/cron*Cron activity is logged in different places depending on the distro and syslog/journald setup. This step confirms whether you have dedicated cron logs to inspect and whether they are rotated.
/var/log/cron
/var/log/cron.1cat /var/log/cronCron logs confirm that the scheduler executed a command under a specific user context. If a job “ran” but produced no result, this log helps you prove that cron triggered it, and then you can pivot to script permissions, paths, environment, or output redirection.
Jul 19 12:00:01 logmon01 CRON[1010]: (root) CMD (backup.sh)
Jul 19 12:05:01 logmon01 CRON[1022]: (devstudent) CMD (echo 'Hello from CRON')tail -f /var/log/syslog
# OR
tail -f /var/log/messagesLive monitoring is useful when you are reproducing a login attempt, restarting a service, or validating that an event is being written as expected. It gives you immediate feedback without repeatedly re-opening files.
Jul 19 14:01:55 logmon01 systemd[1]: Started Session 23 of user root.
Jul 19 14:01:57 logmon01 sshd[1222]: Accepted password for root from 192.168.1.5 port 58234 ssh2grep sshd /var/log/auth.log | wc -lCounting entries gives you a quick metric for reporting and escalation. This is not a perfect “attempts” counter (one attempt can generate multiple lines), but it is a useful first number when you are triaging under time pressure.
42/var/log
: Common location for traditional text-based logs (syslog, auth, cron, etc.).
less
: Interactive pager for reading large files efficiently (search with
/
and quit with
q
).
/var/log/syslog
/
/var/log/messages
: General system logging (file depends on distro/logging configuration).
/var/log/auth.log
: Authentication-related logs (SSH login failures/successes are often recorded here).
grep <pattern> <file>
: Filters lines matching a pattern, useful for narrowing log output quickly.
ls /var/log/cron*
: Confirms cron log files and rotated variants exist.
cat /var/log/cron
: Displays cron execution entries (what ran, when, and under which user).
tail -f <file>
: Follows a file as new lines are appended, useful for real-time monitoring.
wc -l
: Counts lines, often used with grep to quantify events in logs.