π§Ύ Logs Fundamentals – Complete Guide with Answers
π§Ύ Logs Fundamentals – Complete Guide with Answers
Logs are the digital footprints left behind by activities inside a system. Just like footprints help investigators solve crimes in the real world, logs help cybersecurity professionals trace attacks in digital environments.
In this blog, we’ll cover:
-
What logs are
-
Types of logs
-
Windows Event Log analysis
-
Web Server Access Log analysis
-
✅ All answers (before the conclusion)
π Introduction to Logs
Logs contain records of activities performed in a system. These activities can be:
-
Normal user actions
-
System operations
-
Application events
-
Malicious activities
Security teams rely heavily on logs for:
-
Incident investigation
-
Root cause analysis
-
Monitoring suspicious behavior
-
Compliance and auditing
π Types of Logs
Logs are categorized based on the information they provide.
| Log Type | Purpose |
|---|---|
| System Logs | OS activities (startup, shutdown, hardware events) |
| Security Logs | Authentication & authorization events |
| Application Logs | Application-specific events |
| Audit Logs | System & user activity tracking |
| Network Logs | Incoming & outgoing network traffic |
| Access Logs | Resource access information |
✅ Answers – Types of Logs Section
1️⃣ Which type of logs contain information regarding incoming and outgoing traffic?
π Network Logs
2️⃣ Which type of logs contain authentication and authorization events?
π Security Logs
πͺ Windows Event Logs Analysis
Windows stores logs inside a built-in tool called:
π₯️ Event Viewer
It contains three major log categories:
-
Application Logs
-
System Logs
-
Security Logs
π’ Important Windows Event IDs
| Event ID | Description |
|---|---|
| 4624 | Successful login |
| 4625 | Failed login |
| 4634 | Logoff |
| 4720 | User account created |
| 4722 | Account enabled |
| 4724 | Password reset attempt |
| 4725 | Account disabled |
| 4726 | Account deleted |
Security analysts often filter logs using Event ID to quickly find specific activities.
π§ͺ Windows Investigation Exercise – Answers
1️⃣ What is the name of the last user account created on this system?
π hacked
2️⃣ Which user account created the above account?
π Administrator
3️⃣ On what date was this user account enabled?
π 6/7/2024
4️⃣ Did this account undergo a password reset as well?
π Yes
π Web Server Access Logs Analysis
Web servers log every request made to them.
Most Apache web servers store logs at:
/var/log/apache2/access.log
π️ Structure of an Apache Log Entry
Example:
172.16.0.1 - - [06/Jun/2024:13:58:44] "GET /products HTTP/1.1" 404 "-" "Mozilla/5.0..."
Important Fields:
-
IP Address
-
Timestamp
-
HTTP Method (GET / POST)
-
Requested URL
-
Status Code (200, 404, 500, etc.)
-
User Agent
π ️ Useful Linux Commands for Log Analysis
π cat
Displays entire file contents.
π grep
Searches for specific patterns inside logs.
Example:
grep "192.168.1.1" access.log
π less
Allows page-by-page viewing of large logs.
-
Space → Next page
-
b → Previous page
-
/pattern → Search
π§ͺ Web Log Investigation – Answers
1️⃣ What is the IP which made the last GET request to URL: “/contact”?
π 10.0.0.1
2️⃣ When was the last POST request made by IP: “172.16.0.1”?
π 06/Jun/2024:13:55:44
3️⃣ To which URL was the POST request made?
π /contact
π― Conclusion
In this room, we learned:
-
Logs are critical digital evidence
-
Different types of logs serve different purposes
-
How to analyze Windows Event Logs using Event Viewer
-
How to manually analyze Apache Web Server logs
-
How to extract attacker activity from logs
Logs are one of the most powerful tools in cybersecurity investigations. Mastering log analysis is a foundational skill for:
-
SOC Analysts
-
Incident Responders
-
Digital Forensics Investigators
-
Blue Team Professionals
Comments
Post a Comment