SOC Logs

Standard Security Onion Console (SOC) logs can be found at /opt/so/log/soc/.

SOC Auth Logs

SOC auth is handled by Kratos and you can read more about that at https://github.com/ory/kratos. SOC auth logs can be found at /opt/so/log/kratos/. Those logs are ingested into Elasticsearch and available for searching in Dashboards, Hunt, and Kibana. Both Dashboards and Hunt have pre-defined queries for SOC auth logs.