On systemd systems, start with the journal:
sudo journalctl -p warning -b
sudo journalctl -u ssh -S "today"
If you want persistent logs across reboots, set journald storage to persistent:
/etc/systemd/journald.confStorage=persistentThen restart:
sudo systemctl restart systemd-journald
sudo apt install logwatch
sudo logwatch --detail high --range today
auditd is useful on regulated systems and for incident response.
sudo apt install auditd audispd-plugins
sudo systemctl enable --now auditd
sudo systemctl status auditd
sudo apt install aide
sudo aideinit
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
sudo aide --check
Schedule periodic checks (cron/systemd) and alert on differences.
sudo apt install lynis
sudo lynis audit system
Treat the report as a backlog: apply a change, re-run Lynis, and verify you did not break production requirements.