Embedded Files
Log files
Log files
Each operating system (OS) or networking device will maintain log files. We must know where to locate these, access them, and understand what they tell us. There is not one standard format for log files - this makes this task challenging as you may need to be able to learn and research the structure of the log file.
Remember that Linux OS maintains most of its logs in /var/log. However, some services might be saved to another location, and you might have to read the configuration file to learn about this location. Linux stores its log files in plain text, so use your favorite utility to view them. If by chance you come across a file that is compressed using gzip you do not need to uncompress the file - use zcat!
Windows will save log files in Windows\System32\winevt\Logs\. Windows log files will have an evtx file extension. To view Windows Events, you can use the eventvwr utility. Most of the time, Windows will record data for the following event types:
System - contains information about incidents related to the OS.
Application - contains information about errors from installed software.
Setup - contains information about installation events.
Security - contains data about security events.
Example - Apache Log file
Example - Apache Log file
The Apache Access Log File is well-defined and can be broken into 8 key data points.
Client IP Address - who made the request
Identity of the client (most of the time, this is a hyphen and should not be relied on)
User ID of who made the request
Timestamp (Date & Time)
The Request Type and Requested Data
HTTP Status Code
The size of the object Returned
User-agent
Example:
166.122.90.192 - - [12/Apr/2024:20:55:58 +0000] "GET / HTTP/1.1" 200 2288 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0"
Client IP - 166.122.90.192
Identity of Client - the hyphen
User ID - the second hyphen
Timestamp - [12/Apr/2024:20:55:58 +0000]
Request Type and Requested Data - GET / HTTP/1.1
HTTP Status Code - 200
Size of Object Returned - 2288
User Agent - Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
Understand HTTP Status Codes
Understand HTTP Status Codes
Log File Analysis is Key
Log File Analysis is Key
Performing log file analysis can provide a great deal of information. By looking through a log file, you can determine if someone is scanning or has scanned a system with a vulnerability scanner or a port scanner, attempted an SQL Injection, or made a normal request. It is important to understand log files and analyze them from a security standpoint—you need to know what happened!
searching
searching
SQL Injection
SQL Injection
Directory Traversal Attack
Directory Traversal Attack
Viewing Linux Logs
Viewing Linux Logs
Viewing Linux Log files. This videos provides details about various logfiles. Here are a listing of various logfiles that you should review:
var/log/syslog (Debian) or /var/log/messages (RedHat): Capture system-wide messages and activities.
/var/log/auth.log (Debian) or /var/log/secure (RedHat): Record authentication attempts, successful and failed logins.
/var/log/boot.log: Contains system startup messages.
/var/log/kern.log: Stores kernel messages, including errors and warnings.
/var/log/dmesg: Holds device driver messages.
/var/log/faillog: Records failed login attempts, aiding in security breach investigations.
/var/log/cron: Logs cron job executions.
/var/log/daemon.log: Tracks background service activities.
/var/log/btmp: Documents failed login attempts.
/var/log/httpd/: Contains Apache HTTPD error and access logs.
/var/log/: Always check for unexpected logs here.
Viewing Windows Logs
Viewing Windows Logs
This video provides a quick demonstration of using the windows Event Viewer to analyze and view Window logfiles.
Google Sites
Report abuse