In this short course, we covered log analysis and management concepts as well as methods and tools used to analyze and manage logs for both Windows and Linux operating systems.
The course contains the below contents:
– Intro to logging
– Intro to log analysis
– Log analysis with Cyberchef
– Linux log analysis
– Windows log analysis
– Log management and centralization
-Log analysis with Powershell
Please watch the video at the bottom for full detailed explanation of the walkthrough.
What are Logs?
Following security best practices, it is typical for a modern environment to employ log forwarding. Log forwarding means that the SOC will move or “forward” logs from the host machine to a central server or indexer. Even if an attacker can delete logs from the host machine, they could already be off of the device and secured.
Log entries are often given a severity level to categorize and communicate their relative importance or impact. These severity levels help prioritize responses, investigations, and actions based on the criticality of the events. Different systems might use slightly different severity levels, but commonly, you can expect to find the following increasing severity levels: Informational, Warning, Error, and Critical.
Log Files
Log files are records of events committed to a file in a list format. They can include all sorts of information about events that happened at a particular time. Every device on the network creates log files, thus giving you a history of what’s been happening.
Logs typically contain five headed-up areas. They are:
- Timestamp –the time of the event.
- Log level – how severe or important the event is.
- Username– who caused the event.
- Service or application – what caused the event.
- Event description – what has happened.
Log file types Event log
–records information about the usage of network traffic and tracks login attempts, application events, and failed password attempts.System log
(or syslog) – records operating system events, including startup messages, system changes, shutdowns, and errors and warnings.Server log
– contains a record of activities in a text document related to a specific server over a specific period of time.Change log
– lists changes made to an application or file.Availability log
–tracks uptime, availability, and system performance.Authorization and access log
– lists who is accessing applications or files.- Resource log –provides information on connectivity issues and any capacity problems.
Application Logs
Messages about specific applications, including status, errors, warnings, etc.Audit Logs
Activities related to operational procedures crucial for regulatory compliance.Security Logs
Security events such as logins, permissions changes, firewall activity, etc.Network Logs
Network traffic, connections, and other network-related events.Database Logs
Activities within a database system, such as queries and updates.Web Server Logs
Requests processed by a web server, including URLs, response codes, etc.
Definition of Log Analysis
Log analysis examines and interprets log event data generated by various data sources (devices, applications, and systems) to monitor metrics and identify security incidents.
Log analysis involves several steps that starts with collecting, parsing, and processing log files to turn data into actionable objectives. Then analysts would correlate log data to find links and connections between events to paint a story of what happened.
Full Video Course