Log files. That’s a whole lot of information most people have no idea even exists. But it’s the chronological capture of system events that you are going to need one day, and trust me – you will be so damn glad you have them.
So, two points right now.
- Enable logging. Make sure all your devices that have this feature are putting it to work for you. This is how you know what went wrong when something goes wrong. How you find the elephant’s footprints in the peanut butter after there has been an unfortunate incident.
- Where possible, make sure logs are backed up and not accessible to everyone. Because bad people happen to good logs. Sorry, I cannot say more. You’ll have to take my word for it.
In my talks on Threat Intel, I reference log files as having a story to tell, if you are listening. Knowing how to use your logs is key to assuming proactive defense posture.
Logs are generated by a multitude of sources which can be overwhelming. What do you look at? Where do you start? Automation. There are log viewers and scripts by those who have come before you that will enable you to access and utilize what’s in your log data.
To help you get started, Nasruminallah Zeeshan has written a very good piece for Peerlyst, “How to Build a List of Log Files That You Need to be Inspecting Regularly” that presents the main log files you should know and be inspecting regularly for Windows and Linux. Let me share that here.
Log files in Windows systems
Windows manages and provides an assessment of log files with the help of Event Viewer. The Windows Event Viewer shows logs about application and system messages, errors, information messages, and warnings. You can run the windows event viewer by entering eventvwr.msc into Run box. In the following lines, we are going to list down the necessary log files in windows. You may need to check the following files for improved security, on a daily basis.
- The %WINDIR%\System32\config or %WINDIR%\System32\winevt\Logs folders contain most of the log files you can see with Event Viewer.
- The folder %WINDIR%\Logs contains various log files in text format.
- Microsoft Security Essential stores its Runtime log files in the %PROGRAMDATA%\Microsoft\Microsoft Antimalware\Support folder and Installation log files in the %PROGRAMDATA%\Microsoft\Microsoft Security Client\Support folder.
- Microsoft Windows system stores temporary installation and Windows defender log files in the %WINDIR%\Temp\*.log and %AppData%\Local\Temp\*.log folders. The first one contains information about MSI installations and Windows Defender scanning log files, and the second folder contains information about MSI installations run by the current user.
- The %WINDIR%\INF\setupapi.dev.log includes information on plug and play devices and their installation.
- The %WINDIR%\INF\setupapi.app.log file holds information about application installations.
- The file %WINDIR%\Performance\Winsat\winsat.log file is composed of information about test results regarding performance.
- To read Windows update information, the %WINDIR%\WindowsUpdate.log holds information about all events related to Windows Update.
- To know about software related events and update status reports, focus on the %WINDIR%\SoftwareDistribution\ReportingEvents.log file.
- To find out changes being made to Windows components and features, you can access the information in the %WINDIR%\Logs\CBS\CBS.log file.
Log files in Linux systems
To keep an eye on log files in Linux, carry out checking activities on a daily basis. As Linux systems contain multiple users, system administrators are advised to keep track of important log files actively. If possible, make a list of log files based on criticality level, and check them accordingly on a routine basis. In the Linux, most log files are stored in /var/log/ directory. To help you make a list of important log files in Linux, considering on picking the ones listed below.
- The /var/log/messages file contains information about general system activities. The information stored in this file helps you troubleshoot general system errors and messages.
- The Linux systems use /var/log/auth.log file to save information about authentication matters. This file helps you track activity regarding user authentication, such as failed logins attempts, brute force attacks and other security attack vectors related to user authentication. For the same purpose, the Red Hat and CentOS based systems use /var/log/secure file to track information. It also logs information about sudo and SSH logins.
- To find out information about system incidents related to shutdown or restarting routines, you can use the /var/log/boot.log file.
- The Linux systems log hardware devices and their driver information into /var/log/dmesg file. The system logs information to this file during startup, by writing data about device status, hardware errors and other generic messages. If a hardware device is not functioning properly, you can see the file for relevant information.
- The Kernel information is important to know the system status. To investigate about troubleshooting Kernel level errors, use the /var/log/kern.log file. This file can help you cover the gap between stable system statuses, especially in case of a custom built Kernel.
- Similar to /var/log/auth.log, the /var/log/faillog contains information on failed login attempts. The auth.log and faillogfiles are used to fingerprint security breaches related to usernames and passwords. These files also play a vital role in gathering information about a brute force attack.
- In Linux and UNIX systems, Cron allows you to run commands or scripts on a given, pre-scheduled time. The file /var/log/cron holds information about Cron jobs. With reviewing this file, you can find information about Cron jobstatuses such as successful execution or errors in case of failure job execution.
- The application installation information is logged into /var/log/yum.log file, if the package is installed with the Yum tool. If you have to see for information related to package installation, or you want to look for errors occurred by recent installation activities, focus on yum.log file. In this file, you can find a complete status of the installation of any package.
- The mail server related logs are stored in Linux /var/log/maillog or /var/log/mail.log files. These files help you track the information about all incoming and outgoing emails, along with failed email delivery information. You can also find information about blocked spam emails within these files.
- The /var/log/httpd location holds information about Apache server. The Apache server keeps logging information in error_log and access_log files. To track information related to Apache system performance, you can have a look at the error_log, while on the other hand, the access_log file is used to store information about all access requests received over HTTP.