Logs
Data sources such as devices generate data in the form of events. A log is a record of events that occur within an organization’s systems. Logs contain log entries and each entry details information corresponding to a single event that happened on a device or system.
Log analysis is the process of examining logs to identify events of interest
Logs help uncover the details surrounding the 5 W’s of incident investigation: who triggered the incident, what happened, when the incident took place, where the incident took place, and why the incident occurred.
Use Cases#
| Use Case | Description |
|---|---|
| Security Events Monitoring | Logs help us detect anomalous behavior when real-time monitoring is used. |
| Incident Investigation and Forensics | Logs are the traces of every kind of activity. It offers detailed information on what happened during the incident. The security team utilizes the logs to perform root cause analysis of incidents. |
| Troubleshooting | As the logs also record the errors in systems or applications, they can be used to diagnose issues and helpful in fixing them. |
| Performance Monitoring | Logs can also provide valuable insights into the performance of applications. |
| Auditing and Compliance | Logs play a major role in Auditing and Compliance, making it easier with its capability to establish a trail of different kinds of activities. |
Types of logs#
Depending on the data source, different log types can be produced.
| Log Type | Usage | Example |
|---|---|---|
| System Logs | System logs are generated by operating systems like Chrome OS™, Windows, Linux, or macOS®. The system logs can be helpful in troubleshooting running issues in the OS. These logs provide information on various operating system activities. | - System Startup and shutdown events - Driver Loading events - System Error events - Hardware events |
| Security Logs | Security logs are generated by various devices or systems such as antivirus software and intrusion detection systems. The security logs help detect and investigate incidents. These logs provide information on the security-related activities in the system. | -Authentication events - Authorization events - Security Policy changes events - User Account changes events - Abnormal Activity events |
| Application Logs | Application logs are generated by software applications and contain specific events related to the application. Any interactive or non-interactive activity happening inside the application will be logged here. | - User Interaction events - Application Changes events - Application Update events - Application Error events |
| Audit Logs | The Audit logs provide detailed information on the system changes and user events. These logs are helpful for compliance requirements and can play a vital role in security monitoring as well. | - Data Access events - System Change events - User Activity events - Policy Enforcement events |
| Network Logs | Network logs provide information on the network’s outgoing and incoming traffic. They play crucial roles in troubleshooting network issues and can also be handy during incident investigations. | - Incoming Network Traffic events - Outgoing Network Traffic events - Network Connection Logs - Network Firewall Logs |
| Access Logs | The Access logs provide detailed information about the access to different resources. These resources can be of different types, providing us with information on their access. | - Webserver Access Logs - Database Access Logs - Application Access Logs - API Access Logs |
Log management#
Because all devices produce logs, it can quickly become overwhelming for organizations to keep track of all the logs that are generated. To get the most value from your logs, you need to choose exactly what to log, how to access it easily, and keep it secure using log management. Log management is the process of collecting, storing, analyzing, and disposing of log data.
What to log#
The most important aspect of log management is choosing what to log. Organizations are different, and their logging requirements can differ too. It’s important to consider which log sources are most likely to contain the most useful information depending on your event of interest. This might be configuring log sources to reduce the amount of data they record, such as excluding excessive verbosity. Some information, including but not limited to phone numbers, email addresses, and names, form personally identifiable information (PII), which requires special handling and in some jurisdictions might not be possible to be logged.
The issue with overlogging#
From a security perspective, it can be tempting to log everything. This is the most common mistake organizations make. Just because it can be logged, doesn’t mean it needs to be logged. Storing excessive amounts of logs can have many disadvantages with some SIEM tools. For example, overlogging can increase storage and maintenance costs. Additionally, overlogging can increase the load on systems, which can cause performance issues and affect usability, making it difficult to search for and identify important events.
Log retention#
Organizations might operate in industries with regulatory requirements. For example, some regulations require organizations to retain logs for set periods of time and organizations can implement log retention practices in their log management policy.
Log protection#
Along with management and retention, the protection of logs is vital in maintaining log integrity. It’s not unusual for malicious actors to modify logs in attempts to mislead security teams and to even hide their activity.
Storing logs in a centralized log server is a way to maintain log integrity. When logs are generated, they get sent to a dedicated server instead of getting stored on a local machine. This makes it more difficult for attackers to access logs because there is a barrier between the attacker and the log location.
Log Formats#
Commonly used log formats: Syslog, JSON, XML, CSV, CEF
Syslog#
Syslog is a standard for logging and transmitting data. It can be used to refer to any of its three different capabilities:
- Protocol: The syslog protocol is used to transport logs to a centralized log server for log management. It uses port 514 for plaintext logs and port 6514 for encrypted logs.
- Service: The syslog service acts as a log forwarding service that consolidates logs from multiple sources into a single location. The service works by receiving and then forwarding any syslog log entries to a remote server.
- Log format: The syslog log format is one of the most commonly used log formats that you will be focusing on. It is the native logging format used in Unix® systems. It consists of three components: a header, structured-data, and a message.
Here is an example of a syslog entry that contains all three components: a header, followed by structured-data, and a message:
<236>1 2022-03-21T01:11:11.003Z virtual.machine.com evntslog - ID01 [user@32473 iut="1" eventSource="Application" eventID="9999"] This is a log entry!
- Header
The header contains details like the timestamp; the hostname, which is the name of the machine that sends the log; the application name; and the message ID.- Timestamp: The timestamp in this example is 2022-03-21T01:11:11.003Z, where 2022-03-21 is the date in YYYY-MM-DD format. T is used to separate the date and the time. 01:11:11.003 is the 24-hour format of the time and includes the number of milliseconds 003. Z indicates the timezone, which is Coordinated Universal Time (UTC).
- Hostname: virtual.machine.com
- Application: evntslog
- Message ID: ID01
- Structured-data
The structured-data portion of the log entry contains additional logging information. This information is enclosed in square brackets and structured in key-value pairs. Here, there are three keys with corresponding values: [user@32473 iut=“1” eventSource=“Application” eventID=“9999”]. - Message
The message contains a detailed log message about the event. Here, the message is This is a log entry!. - Priority (PRI)
The priority (PRI) field indicates the urgency of the logged event and is contained with angle brackets. In this example, the priority value is <236> . Generally, the lower the priority level, the more urgent the event is.
CEF (Common Event Format)#
Common Event Format (CEF) is a log format that uses key-value pairs to structure data and identify fields and their corresponding values. The CEF syntax is defined as containing the following fields:
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension Fields are all separated with a pipe character |. However, anything in the Extension part of the CEF log entry must be written in a key-value format. Syslog is a common method used to transport logs like CEF. When Syslog is used a timestamp and hostname will be prepended to the CEF message.
Here is an example of a CEF log entry that details malicious activity relating to a worm infection:
Sep 29 08:26:10 host CEF:1|Security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.2 dst=2.1.2.2 spt=1232Here is a breakdown of the fields:
- Syslog Timestamp: Sep 29 08:26:10
- Syslog Hostname: host
- Version: CEF:1
- Device Vendor: Security
- Device Product: threatmanager
- Device Version: 1.0
- Signature ID: 100
- Name: worm successfully stopped
- Severity: 10
- Extension: This field contains data written as key-value pairs. There are two IP addresses, src=10.0.0.2 and dst=2.1.2.2, and a source port number spt=1232. Extensions are not required and are optional to add.
This log entry contains details about a Security application called threatmanager that successfully stopped a worm from spreading from the internal network at 10.0.0.2 to the external network 2.1.2.2 through the port 1232. A high severity level of 10 is reported.
Windows Event logs#
Windows OS logs many of the activities that take place and are stored in segregated log files, each with a specific log category.
- Application: There are many applications running on the operating system. Any information related to those applications is logged into this file. This information includes errors, warnings, compatibility issues, etc.
- System: The operating system itself has different running operations. Any information related to these operations is logged in the System log file. This information includes driver issues, hardware issues, system startup and shutdown information, services information, etc.
- Security: This is the most important log file in Windows OS in terms of security. It logs all security-related activities, including user authentication, changes in user accounts, security policy changes, etc.
Windows OS has a utility known as Event Viewer, which gives a nice graphical user interface to view and search for anything in the event logs.
You can click ‘Windows Logs’ to see the different types of logs.
The left sidebar shows the different log files. When we click one of these log files, we can see the different logs in centre. Lastly, in the right sidebar, we have different options for analyzing the logs.
We can click on a log to its details in the bottom pane or double click to open event properties in a new window.
A Windows event log has different fields:
- Description: This field has a detailed information of the activity.
- Log Name: The Log Name indicates the log file name.
- Logged: This field indicates the time of the activity.
- Event ID: Event IDs are unique identifiers for a specific activity.
We can use these event IDs to search for any specific activity.
Some important event IDs:
| Event ID | Description |
|---|---|
| 4624 | A user account successfully logged in |
| 4625 | A user account failed to login |
| 4634 | A user account successfully logged off |
| 4720 | A user account was created |
| 4724 | An attempt was made to reset an account’s password |
| 4722 | A user account was enabled |
| 4725 | A user account was disabled |
| 4726 | A user account was deleted |
Linux logs#
Linux OS stores all the related logs, such as events, errors, warnings, etc. The main directory for storing logs in linux is /var/log
Some of the common Linux logs are:
/var/log/httpd: Contains HTTP Request / Response and error logs./var/log/cron: Events related to cron jobs are stored in this location./var/log/auth.logand/var/log/secure: Stores authentication-related logs./var/log/kern: This file stores kernel-related events./var/log/apacheor/var/log/httpd: apache-related logs