Skip to content

Linux Systems

Linux Systems


Just like Windows, iOS, and Mac OS, Linux is an operating system. In fact, one of the most popular platforms on the planet, Android, is powered by the Linux operating system. An operating system is software that manages all of the hardware resources associated with your desktop or laptop. To put it simply, the operating system manages the communication between your software and your hardware. Without the operating system (OS), the software wouldn't function.

The Linux operating system comprises several different pieces:

  • Bootloader - The software that manages the boot process of your computer. For most users, this will simply be a splash screen that pops up and eventually goes away to boot into the operating system.

  • Kernel – This is the one piece of the whole that is actually called Linux. The kernel is the core of the system and manages the CPU, memory, and peripheral devices. The kernel is the lowest level of the OS.

  • Init system – This is a sub-system that bootstraps the user space and is charged with controlling daemons. One of the most widely used init systems is systemd which also happens to be one of the most controversial. It is the init system that manages the boot process, once the initial booting is handed over from the bootloader (i.e., GRUB or GRand Unified Bootloader).

  • Daemons – These are background services (printing, sound, scheduling, etc.) that either start up during boot or after you log into the desktop.

  • Graphical server – This is the sub-system that displays the graphics on your monitor. It is commonly referred to as the X server or just X.

  • Desktop environment – This is the piece that the users actually interact with. There are many desktop environments to choose from (GNOME, Cinnamon, Mate, Pantheon, Enlightenment, KDE, Xfce, etc.). Each desktop environment includes built-in applications (such as file managers, configuration tools, web browsers, and games).

  • Applications – Desktop environments do not offer the full array of apps. Just like Windows and macOS, Linux offers thousands upon thousands of high-quality software titles that can be easily found and installed. Most modern Linux distributions (more on this below) include App Store-like tools that centralize and simplify application installation. For example, Ubuntu Linux has the Ubuntu Software Center (a rebrand of GNOME Software Figure 1) which allows you to quickly search among the thousands of apps and install them from one centralized location.

Product Details

Vendor URL: Linux Systems

Product Type: OS

Product Tier: Tier III

Integration Method: Syslog

Integration URL: Linux Systems - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON and Syslog

Expected Normalization Rate: 80-90%

Data Label: LINUX_OS

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
acct,principal.user.userid,userId,username principal.user.userid
action,desc security_result.description
additional.COMMAND,command,process target.process.command_line
additional.dest.dvchost,dvc,Hostname,relayHostname intermediary.hostname
additional.duser,target.user.userid,username target.user.userid
additional.file_name,additional.TTY,dev target.process.file.full_path
additional.PWD,process,ProcessName,name principal.process.file.full_path
command,comm principal.process.command_line
dstPort,targetPort target.port
dvc,Hostname,relayIp intermediary.ip
dvc,targetHostname,node target.hostname
dvc,targetIp target.ip
exe security_result.about.process.file.full_path
filepath,pwd target.file.full_path
metadata.description,action,SyslogMessage,type metadata.description
metadata.product_name,eventType,ProcessName,op metadata.product_event_type
outcome,hasing_algo,proto,reason security_result.summary
principal.hostname,dvc,srcHostName,Computer,source principal.hostname
principal.ip,dvc,srcIp,HostIP principal.ip
principal.port,srcPort principal.port
process target.application
process target.application
protocol network.ip_protocol
received_bytes network.received_bytes
security_result.action security_result.action
security_result.severity,log_level,SeverityLevel security_result.severity
sent_bytes network.sent_bytes
sessionId network.session_id
uid security_result.about.user.userid

Product Event Types

Event UDM Event Classification
all other events GENERIC_EVENT
LOGIN,USER_AUTH,USER_LOGIN,Authentication failed,Started,Starting,opened USER_LOGIN

Log Sample

2021-10-03T15:39:48-07:00 sysloghost systemd[1]: Started Session sessionid of user root.

Sample Parsing

metadata.event_timestamp = "2021-10-03T15:40:45.940124Z"
metadata.event_type = "USER_LOGIN"
metadata.product_name = "Unix OS"
metadata.ingested_timestamp = "2021-10-03T15:40:45.940124Z" = "sessionid"
principal.platform = "LINUX"
target.hostname = "sysloghost"
target.user.userid = "root" = "sessionid"
target.application = "systemd"
target.asset.hostname = "sysloghost"
intermediary.hostname = "sysloghost"
security_result.description = "Started"
extensions.auth.mechanism = "USERNAME_PASSWORD"

Parser Alerting

This product currently does not have any Parser-based Alerting


Coming Soon