Ubuntu: Does Ubuntu log when USB devices are connected?



Question:

When I connect a USB drive to an Ubuntu OS, would there be a text file which contains details of that connection and if so, where is that file located ? What is the name of that file?


Solution:1

Does Ubuntu log when USB devices are connected?

Yes, Ubuntu logs when a USB device is connected. The file is /var/log/syslog. You can also view it by issuing the command dmesg -c or graphically using Log file viewer.

Is this file deleted upon shutdown?

No, This log does not get wiped upon shutdown. After a size limit is reached the logs are rotated, meaning new logs are continually written to /var/log/syslog while older records are pushed to compressed files named /var/log/syslog.1.gz, syslog.2.gz, ... in the same /var/log directory.

You can view the /var/log directory with rotated log files below:

enter image description here


Solution:2

The area I look at is:

sudo cat /var/log/kern.log | grep usb  

The output would look like the following:

May 25 07:38:51 mycomputer kernel: [  607.296847] scsi7 : usb-storage 3-1:1.0  May 25 07:38:54 mycomputer kernel: [  609.790892] usb 3-2: new high-speed USB device number 3 using xhci_hcd  May 25 07:38:54 mycomputer kernel: [  609.817462] usb 3-2: ep 0x81 - rounding interval to 32768 microframes, ep desc says 0 microframes  May 25 07:38:54 mycomputer kernel: [  609.817474] usb 3-2: ep 0x2 - rounding interval to 32768 microframes, ep desc says 0 microframes  May 25 07:38:54 mycomputer kernel: [  609.818399] usb-storage 3-2:1.0: Quirks match for vid 13fe pid 3600: 4000  May 25 07:38:54 mycomputer kernel: [  609.818529] scsi8 : usb-storage 3-2:1.0  

There are also compressed logs for kern.log You can search those with the following command:

sudo zcat /var/log/kern.log.2.gz | grep usb  

The output would be in the same format as the the example above.

You can also search the syslog as follows:

sudo cat /var/log/syslog.1 | grep usb  

This gives you results that look like this:

May 25 07:31:25 tardis-w520 kernel: [  161.469096] usb 1-1.5.5: new high-speed USB device number 8 using ehci_hcd  May 25 07:31:25 tardis-w520 mtp-probe: checking bus 1, device 8: "/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.5/1-1.5.5"  May 25 07:31:25 tardis-w520 kernel: [  161.658587] scsi6 : usb-storage 1-1.5.5:1.0  May 25 07:31:25 tardis-w520 kernel: [  161.658685] usbcore: registered new interface driver usb-storage  May 25 07:31:25 tardis-w520 kernel: [  161.795563] usbcore: registered new interface driver uas  May 25 07:38:51 tardis-w520 kernel: [  607.268280] usb 3-1: new high-speed USB device number 2 using xhci_hcd  May 25 07:38:51 tardis-w520 kernel: [  607.293280] usb 3-1: ep 0x81 - rounding interval to 32768 microframes, ep desc says 0 microframes  May 25 07:38:51 tardis-w520 kernel: [  607.293292] usb 3-1: ep 0x2 - rounding interval to 32768 microframes, ep desc says 0 microframes  

To list the .gz log files you would:

sudo zcat /var/log/syslog.2.gz | grep usb  

The resulting output would be in the same format as the previous.

If this is for forensics purposes there may be a better way.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »