Logging for Cyber Security

Here are some notes I took on Logging during my Security+ exam prep.

Logs form detailed lists of activities related to user actions, application functioning, and system performance. They allow us to answer the who (usernames, account names), what (direction of traffic, socket info), when (timestamps), and where (socket info, MAC addresses) questions about security events. We can use logs to trace a sequence of events leading up to a security incident.

Important log sources and tools:

1. Network Logs

• Can come from various sources: NIDS, NIPS, Firewalls, Routers, Web Servers
• These devices can be configured to log specific types of information
• Includes packet information: source/destination ip addresses, source/destination ports, and MAC addresses
• Web Server logs record HTTP Requests and Responses including suspicious traffic like SQL injection attacks
• Used for troubleshooting connectivity issues and investigating potential attacks
• Data recorded in Web Server Logs: host, user-identifier, authuser, date, request, status, bytes

Server Connection Status Codes:

1. 100 - Informational
2. 200 - Successful
3. 300 - Redirection
4. 400 - Client Error
5. 500 - Server Error

2. Windows System Logs

Event Viewer in Windows allows you to analyze logs recorded for everything that happens on the system

Launch Event Viewer:

• Start Menu, Type "Event Viewer", Press Enter
• Windows key + R, Enter eventvwr, Press Ok

Categories of Windows Logs:

• Application: logs related to installed software
• Security: logs related to login attempts and accessing resources
• Setup: logs events related to installation of the Windows OS
• System: logs events related to the functioning of the OS and system components
• Forwarded Events: logs forwarded from other computers in the network

Windows Event Severity Levels:

• Information: Successful system functioning
• Verbose: Progress/success information for specific events
• Warning: Potential issues that should be monitored and may require more attention in the future
• Error: A system or service issue that doesn't require immediate attention
• Critical: an urgent system or application issue that requires immediate attention

A few Important Windows Event IDs:

• 1102: Audit log cleared
• 4624: Account successfully logged on
• 4625: Account failed to log on
• 4672: An account with elevated privileges has logged on
• 4698: Scheduled task created
• 4720: User account created
• 4740: Account locked out
• 4657: A registry value was changed
• 4688: New process was created

3. DNS Logs

• Record queries against DNS Servers to see the IPS address and fully qualified domain name for the request
• DNS logs can be used to pin point which malicious site a user downloaded malware from

DNS attack types:

• DNS open resolver attacks
• DNS stealth attacks
• DNS domain shadowing attacks
• DNS tunneling attacks

4. Syslog, Syslog-ng, Rsyslog, NXLog

• Syslog: is a logging service that can be started on various devices to send logs to a centralized location
• Syslog-ng: offers security enhancements to syslog via filtering, and support for TCP and TLS
• Rsyslog: allows for sending logs directly to a database
• NXLog: can be used on Linux and Windows systems, and integrates with SIEM

5. Linux Logs

View Linux Logs: cat command (example: cat /var/log/faillog)

Linux Log Locations:

• var/log/syslog: information on system activity such as start ups
• var/log/messages: variety of general system messages
• var/log/boot.log: system boot logs
• var/log/auth.log: successful/unsuccessful login attempts
• var/log/faillog: failed login attempts
• var/log/kern.log: system kernel logs
• var/log/httpd/.: access and error logs for Apache web servers

6. journalctl

• This command queries the journald Linux system logging utility and displays log data as text
• You can list all journal entries or you can get more selective output by using command parameters
• Syntax: journalctl [options] [unit]
• Example: journalctl -p alert

Resources:

• https://www.criticalstart.com/windows-security-event-logs-what-to-monitor/
• https://www.solarwinds.com/resources/it-glossary/windows-event-log
• https://www.techtarget.com/searchwindowsserver/definition/Windows-event-log
• https://www.geeksforgeeks.org/journalctl-command-in-linux-with-examples/
• Joshua L. 's YouTube video on analyzing Ubuntu web server logs with GoAccess: https://www.youtube.com/watch?v=KgzQzh0T1-A