Hal PomeranzWhere can you find a record of USB devices that have been plugged into a Linux system?
I have to admit that sometimes I pose these daily Linux command line trivia questions because I'm hoping to learn something I didn't know. Yesterday's question asked how you can get historical information on USB devices plugged into a Linux system.
I got a couple of responses suggesting the "lsusb" command. "lsusb" is great for looking at USB devices currently plugged into the system, but unfortunately has no historical information about devices that have been connected and later removed.
And so we're left with the traditional method of looking at the kernel logs, whether through "dmesg" or just going and finding the raw logs themselves under /var/log. The problem here is that these logs don't last forever. Under standard Linux log rotation settings, they're only going to be around for about a month. After that, you might be able to pull some old logs out of unallocated, emphasis on "might".
As always, it's a good idea to keep copies of your logs in some central, searchable collection for longer than a month. In this case, it will help you go back historically and track any USB devices that may have been deployed during an incident.
62666c@hal_pomeranz I need to set up an alert for your daily questions so I don't miss them! They're great little exercises.