Which method is recommended to quickly collect logs for incident analysis?

Collecting logs for incident analysis relies on pulling together sources that record what happened on the system, when it happened, and how the system was configured. The best approach is to use vendor-provided collection tools or a tarball that bundles the essential logs and context: include /var/log for standard log files, use the systemd journal via journalctl --since to capture recent events, grab kernel messages with dmesg, and include relevant configuration files to explain how the system was set up. This combination gives a complete, time-bounded snapshot that analysts can review quickly and preserve with proper metadata for integrity. Copying only /home misses critical system and kernel logs; copying only /proc isn’t a real log source and provides transient process information; copying only /boot excludes most operational data needed for analysis.