📜

Understanding System Logging and Analysis

Feb 6, 2025

Lecture on System Logging and Log Analysis

Importance of Logs

  • Logs generated by endpoints, servers, virtual machines, OS (Windows, Linux, macOS) are crucial for information.
  • Types of logs include:
    • Event Logs
    • Application Logs
    • Security Logs
    • System Logs
    • Setup Logs
    • Forwarded Logs

Logging in Operating Systems

Windows

  • Application Logs: Generated by apps/services (e.g., service start failures).
  • Security Logs: Events related to authentication, privileged access attempts.
  • System Logs: OS internals, device components, hardware failures.
  • Setup Logs: During software installation.
  • Forwarded Logs: Collected from other computers.
  • Severity scale: Informational, Warning, Error, Audit Success/Failure.

Linux

  • Logs stored in /var/log (text format).
  • Systemd logs viewed with journalctl (binary format).

macOS

  • Logs viewed via Console app (text format), not consistently formatted.

Log Analysis

  • Correlation: Connecting multiple event data.
    • Example: 10 failed logins differ from 10 failed and 1 successful login.
  • Configuration changes: Validate expected changes.
  • Time gaps: Detect potential log deletions by attackers.
  • Trend analysis: Monitor log generation rates for anomalies.

Syslog Protocol

  • Used widely in networking for logging.
  • Originally insecure (UDP port 514), newer versions use TCP (port 468) with TLS.
  • Structure: Header (timestamp, IP), Facility, Severity, Message.
  • Firewall logs: Track connections, protocols, bandwidth, and address translation.
    • Focus on dropped and permitted traffic.

Proxies and Firewalls

  • Forward Proxies: Manage outbound traffic.
    • Types: Transparent (no client config), Non-transparent (requires client config).
  • Reverse Proxies: Manage inbound traffic, act as load balancers.
  • Logs can indicate malicious traffic, monitor security threats.

Web Application Firewalls (WAF)

  • Protects web applications by analyzing application-level requests.
  • Detects web attacks (SQL injections, XSS, etc.), logs denied requests.

Intrusion Detection/Prevention Systems (IDS/IPS)

  • Analyze packets to detect suspicious patterns.
  • Differences from firewalls: Focus on malicious intent detection.
  • Integrated in modern firewalls.
  • Require monitoring and rule adjustments.

Snort IDS

  • Open-source IDS system, used in commercial solutions.
  • Example Snort Rule: Detects IMAP brute force login attempts.
    • Configuration includes network definitions, attack signatures.

Key Takeaways

  • Understand log formats, storage, and transfer methods.
  • Differentiate between log types (firewall, proxy, IDS, WAF).
  • Prepare for exam focus on syslog protocol and log management.

This lecture provides a comprehensive overview of system logging, emphasizing the importance of analyzing and correlating log data to detect and respond to security incidents effectively.

Full transcript