SOC Logs¶
Standard Security Onion Console (SOC) logs can be found at /opt/so/log/soc/
.
SOC Auth Logs¶
SOC auth is handled by Kratos and you can read more about that at https://github.com/ory/kratos. SOC auth logs can be found at /opt/so/log/kratos/
. To look for successful SOC logins, you can run the following:
sudo zgrep "Identity authenticated successfully and was issued an Ory Kratos Session Cookie" /opt/so/log/kratos/*
Those logs should be ingested into Elasticsearch and available for searching in Dashboards, Hunt, and Kibana. Both Dashboards and Hunt have pre-defined queries for SOC auth logs.

identity_id¶
Once you see the auth logs, you will notice that the login is logged as identity_id
. You can find your desired identity_id
as follows, replacing USERNAME@DOMAIN.COM with your desired SOC username:
echo "select * from identities;" | sudo sqlite3 /nsm/kratos/db/db.sqlite |grep USERNAME@DOMAIN.COM | cut -d\| -f1