---
title: "Enhanced linux visibility with Sumo Logic"
page_name: "Enhanced Linux visibility with Sumo Logic"
type: "blog"
slug: "enhanced-linux-visibility-with-sumo-logic"
published_at: "2023-11-28"
modified_at: "2025-05-21"
url: "https://www.sumologic.com/blog/enhanced-linux-visibility-with-sumo-logic"
canonical: "https://www.sumologic.com/blog/enhanced-linux-visibility-with-sumo-logic"
markdown_url: "https://www.sumologic.com/blog/enhanced-linux-visibility-with-sumo-logic.md"
lang: "en"
excerpt: "Sumo Logic provides best-in-class cloud monitoring, log management, Cloud SIEM tools, and real-time insights for web and SaaS based apps."
taxonomy_blog_category:
  - "Cloud SIEM"
  - "SecOps &amp; Security"
---

[ All blogs ](https://www.sumologic.com/blog "blog")[Cloud SIEM](https://www.sumologic.com/blog/cloud-siem), [SecOps &amp; Security](https://www.sumologic.com/blog/secops-security)

# Enhanced Linux visibility with Sumo Logic

[Anton Ovrutsky](#blog-author-block-32)[Brandon Borodach](#blog-author-block-57)

November 28, 2023

5 min read 

[Cloud SIEM](https://www.sumologic.com/blog/cloud-siem), [SecOps &amp; Security](https://www.sumologic.com/blog/secops-security)

##### Table of contents

 

 

 

In the continually evolving digital landscape, the importance of effective and efficient logging cannot be
 overstated. When we journey into the realm of Linux, this rings particularly true. Today, we’ll delve into why Linux
 logging is vital, the challenges customers commonly encounter with it, and how Sumo Logic has emerged as a market
 leader in providing unparalleled SIEM solutions.

## The need for Linux logging: A historical perspective

Since the early days of computing, logging has played a crucial role in system management and security. In the realm
 of Linux, a stalwart in the backbone of the digital world, this is especially important. System logs provide not only
 a comprehensive view of what is happening within your Linux environment but also serve as a first line of defense
 against potential security threats. They are a record of users’ activities, system errors, and other key events.
 Without these logs, we’re navigating through the digital world with a blindfold on, vulnerable to hidden threats.

## Linux auditing challenges: The labyrinth unveiled

Despite the necessity of Linux logging, the path to effective auditing is often strewn with obstacles. One of the
 major challenges is the sheer volume of data produced. Linux systems generate a staggering amount of log data, which
 can be overwhelming to manage and analyze. Further, Linux log files are spread across different locations, each with
 its own format, making consolidation and standardization a daunting task.

Also, as Linux is an open-source system, it is subject to continual updates and patches from its developer community.
 While this ensures Linux’s robustness and adaptability, it presents an ever-changing landscape that poses additional
 challenges for effective auditing.

## Illuminating the dark with Sumo Logic

At Sumo Logic, we understand the complexities and challenges inherent in Linux auditing. To navigate through this
 labyrinth, we’ve developed a sophisticated, market-leading SIEM solution that not only addresses these challenges but
 also provides actionable insights to enhance your system’s security posture.

## Linux defensive arts

Let’s take a look at some techniques used by threat actors to attack Linux systems. In order to perform these tests,
 we’ll be utilizing the awesome [Atomic Red Team Framework.](https://github.com/redcanaryco/atomic-red-team)

### T1556.003 Modify Authentication Process: Pluggable Authentication Modules

Modification to PAM modules on Linux hosts can lead to credential theft avenues as well as allowing threat actors to
 persist on hosts. We can test this activity with the following

```
Invoke-AtomicTest T1556.003
```

Using [Laurel telemetry](https://github.com/threathunters-io/laurel), we
 can then go ahead and search for this activity:

```
  _sourceName="/var/log/laurel/audit.log"
  | where %"path[0].name" = "/etc/pam.d/"
  | values(%"proctitle.argv") as arguments by %"syscall.ppid.exe"
```

And the results:

### T1014 Rootkit

Rootkits are very dangerous for defenders as they could potentially blind existing security controls on Linux hosts
 and provide threat actors with deep persistence mechanisms.

We can go ahead and run the atomic test for this with the following command: `Invoke-AtomicTest T1014`

Sumo Logic’s Cloud SIEM is able to normalize and parse the Laurel telemetry and has existing coverage for this
 technique:

### T1548.003 Abuse elevation control mechanism: Sudo and sudo caching

This test suite attempts to modify the sudo configuration on Linux hosts, something that is definitely worth
 monitoring for and alerting on, we can run a test that modifies the sudo cache timeout on a Linux host with the
 following command:` Invoke-AtomicTest T1548.<span class="green">003</span> -TestNumbers <span class="green">2</span>`

We can then go ahead and look for this activity:

```
  _sourceName="/var/log/laurel/audit.log" 
  | %"execve.argv" as args
  | %"path[0].name" as path
  | where args matches /(/etc/sudoers)/
  | where args matches /(timestamp_timeout)/
  | values(%"execve.argv") as arguments by path  
```

And looking at the results:

### T1070.002 – Indicator removal on host: Clear Linux or Mac system logs

Indicator removal on a host and generally clearing/tampering with security telemetry is definitely something that
 security teams should be on the lookout for and be constantly testing. If not legitimate activity, this can be a very
 high-fidelity signal that something suspicious is occurring in the environment.

Once again, we can test this using the
 following:` Invoke-AtomicTest T1070.<span class="green">002</span> -TestNumbers <span class="green">13</span>`

We can then go ahead and look for this activity:

```
 _sourceName="/var/log/laurel/audit.log" 
  | %"execve.argv" as args
  | %"path[0].name" as path
  | if(args matches /(rm /var/log/journal)/,1,0) as journal_removal
  | if(args matches /(journalctl --vacuum-time=0)/,1,0) as journal_clear
  | where journal_removal = "1" or journal_clear = "1"
  | values(%"execve.argv") as arguments by path
```

This query has two if statements within it, one for the outright removal of the journal log file and the second for
 setting the vacuum time via journactl to 0 which, as the Atomic test states, clears the journal file while keeping the
 journal field in place.

And the results:

### T1496 – Resource hijacking 

For this test, we’ll use the [Mythic](https://github.com/its-a-feature/Mythic) C2 framework on our test machine in order to establish a command and control connection
 between our host and C2 server. We will then download and execute Xmrig on the host:

At this point, we could go ahead and look at Laurel telemetry for process information containing either our C2
 payload or the Xmrig process. However, the keyword here is resources. In other words, we need a way to monitor and
 alert on the resource utilization of our host in order to fully wrangle this technique.

Thankfully Sumo Logic’s [OpenTelemetry collector for Linux](https://help.sumologic.com/docs/integrations/hosts-operating-systems/opentelemetry/linux-opentelemetry/) provides defenders with the ability to collect
 metrics data from hosts, in addition to log data.

We can use the Sumo Logic [Metrics Explorer](https://help.sumologic.com/docs/metrics/metrics-queries/metrics-explorer/) to build a metrics query similar to the following:

And looking at the results:

We can see that an outlier has been detected for our Xmrig process – from here we can start an investigation and work
 backwards utilizing our host-based telemetry.

## The future of Linux logging

In the realm of cybersecurity, Security Information and Event Management (SIEM) systems are pivotal in detecting and
 managing attacks, particularly on Linux-based systems, which are globally renowned for their robustness and ubiquity
 in enterprise environments. It is crucial to highlight the evolving sophistication of SIEM solutions in pinpointing
 abnormal activities and potential breaches within Linux systems.

The continuous advancements in SIEM technologies are focusing on the enhancement of real-time analysis of security
 alerts generated by hardware and applications, which is pivotal for Linux environments. This integration of advanced
 analytical tools and an increased emphasis on real-time responses is pivotal in mitigating the multifaceted and
 ever-evolving threats, thereby illustrating a prospective future where Linux logging is more intuitive, adaptive, and,
 most importantly, secure.

The future will likely see the intertwining of AI and machine learning with SIEM solutions to facilitate the
 prediction and prevention of attacks on Linux systems, making Linux logging more proactive and intelligent than ever
 before. Sumo is embracing this intertwining of AI and machine learning with SIEM by providing what we call, [Global Confidence scores](https://help.sumologic.com/docs/cse/records-signals-entities-insights/global-intelligence-security-insights/#what-is-a-global-confidence-score).

At Sumo Logic, we’re committed to guiding you through the labyrinth of Linux logging and auditing. We offer not just
 a product, but a partnership, providing the technical expertise and support you need to secure your Linux environment
 effectively.

We invite you to discover how Sumo Logic can transform your Linux logging and auditing experience. [Get in touch](https://www.sumologic.com/request-demo/) with our technical
 team to learn more, or if you’re interested in trying our strategies within your own systems. Let us help you bring
 light to the dark, enhancing visibility and security in your Linux environment.

[Learn more about threat hunting on Linux endpoints](https://www.sumologic.com/blog/threat-labs-cloud-theft-linux-credentials/).

### Article Tags

- [Cloud SIEM](https://www.sumologic.com/blog/cloud-siem)
- [SecOps &amp; Security](https://www.sumologic.com/blog/secops-security)

Anton Ovrutsky

Senior Threat Research Engineer

Anton Ovrutsky leverages his 10+ years of expertise and experience as a BSides Toronto speaker, C3X volunteer, and an OSCE, OSCP, CISSP, CSSP and KCNA certificate holder in his role at Sumo Logic’s Threat Labs. He enjoys the defensive aspects of cybersecurity and loves logs and queries. When not diving into the details of security, he enjoys listening to music and cycling.

 

Brandon Borodach

Senior Solutions Engineer

Brandon started his career with cyber intelligence work at his local fusion center. After a few years in the public sector, he transitioned to the private sector to work for an MSSP. There, he learned several SIEMs, including Sumo Logic, where he built detection content.

His passions center on technology, security, and how advanced threats constantly evolve their attack vectors. Outside of work, Brandon enjoys hiking, traveling, and reading.

[](https://www.sumologic.com/feed "RSS Feed")[](https://twitter.com/intent/tweet?text=Enhanced%20Linux%20visibility%20with%20Sumo%20Logic&url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fenhanced-linux-visibility-with-sumo-logic "X")[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fenhanced-linux-visibility-with-sumo-logic "Facebook")[](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fenhanced-linux-visibility-with-sumo-logic "Linkedin")

[Previous blog

Lightning-fast troubleshooting for AWS: How to find the root cause fast with Sumo Logic](https://www.sumologic.com/blog/aws-observability-fast-troubleshooting)[Next blog

How fintech companies can prepare for new DORA regulations](https://www.sumologic.com/blog/aws-observability-dora-regulations)

People who read this also enjoyed

[  

Before you replace your SIEM: AI-driven security requires operational context, not just centralized data

May 21, 2026

 

 ](https://www.sumologic.com/blog/before-you-replace-your-siem)[  

Closing the AI compliance and visibility gap: Integrate the Claude Compliance API with Sumo Logic

May 21, 2026

 

 ](https://www.sumologic.com/blog/sumo-logic-claude-compliance-api-integration)[  

How to secure cloud workloads without building a full-scale SOC

April 30, 2026

 

 ](https://www.sumologic.com/blog/secure-cloud-workloads-with-limited-resources)[  

Observability is security (We just pretended it wasn’t)

April 28, 2026

 ](https://www.sumologic.com/blog/observability-is-security)

[AI Instructions](https://www.sumologic.com/ai-instructions.md)