DEV Community

Cover image for Logs Fundamentals for Cybersecurity: What Every Analyst Should Know
Mohamed Adan Daud
Mohamed Adan Daud

Posted on

Logs Fundamentals for Cybersecurity: What Every Analyst Should Know

Attackers are clever—they often take measures to avoid leaving traces on the victim's systems to evade detection. Yet, security teams frequently manage to determine how an attack was executed, and in some cases, even identify the attacker.

Real-World Analogy

Imagine a group of policemen investigating the disappearance of a precious locket in a snowy jungle cabin. Here's what they found:

  • A brutally damaged wooden door
  • A collapsed ceiling
  • Footprints in the snow leading to the cabin
  • CCTV footage from a nearby residence

By piecing together these physical clues, they were able to reconstruct the incident and identify the criminal.

Digital Clues: Enter Logs

So, what happens when the crime occurs inside a digital device? Where are these traces found?

In the digital world, these traces are stored in logs.

What Are Logs?

Logs are the digital footprints left behind by system and user activities. These activities may be routine and legitimate—or they may be malicious.

Logs help security teams:

  • Trace what happened
  • Determine how it happened
  • Identify who was behind it

Just like the real-world clues help solve physical crimes, logs are critical pieces of evidence in digital forensics and incident response.

In summary, logs play a central role in investigating security incidents by recording actions, changes, and patterns that may otherwise go unnoticed.

Use Cases of Logs

Logs play a vital role in several areas of cyber security and system administration. They serve as a central source of truth, helping detect issues, investigate incidents, and ensure compliance.

Below are some key use cases where logs are especially important:

Use Case Description
1. Security Events Monitoring Logs help detect anomalous behavior, especially when used in real-time monitoring systems.
2. Incident Investigation and Forensics Logs provide detailed records of activities, enabling security teams to perform root cause analysis of incidents.
3. Troubleshooting Logs record errors and warnings from systems or applications, helping diagnose and fix technical issues.
4. Performance Monitoring Logs offer insights into system and application performance, such as response times and load metrics.
5. Auditing and Compliance Logs are critical for audit trails and meeting compliance requirements, helping demonstrate accountability.

This section will help you gain an understanding of the various types of logs maintained across systems. You will also get hands-on experience investigating logs to trace different types of cyber attacks.

Types of Logs

In the previous task, we saw various use cases of logs. But there is a challenge. Imagine you have to investigate an issue in a system through the logs; you open the log file of that system, and now you are lost after seeing numerous events of different categories.

Here is the solution: Logs are segregated into multiple categories according to the type of information they provide. So now you just need to look into the specific log file for which the issue relates.

For example, you need to investigate the successful logins from yesterday at a specific timeframe in Windows OS. Instead of looking into all the logs, you only need to see the system’s Security Logs to find the login information. We also have other types of logs that are useful in investigating different incidents. Let’s have a look at them.

Different types of logs serve different purposes within an IT environment. Understanding each log type helps in efficiently monitoring systems, investigating incidents, and ensuring compliance.

Log Type Usage Example Events
System Logs Helpful in troubleshooting operating system issues and understanding system-level activities. - System startup and shutdown events
- Driver loading events
- System error events
- Hardware events
Security Logs Used to detect and investigate security incidents. They provide visibility into security-related actions. - Authentication events
- Authorization events
- Security policy changes
- User account changes
- Abnormal activity events
Application Logs Track application-specific activities, both interactive and background processes. - User interaction events
- Application changes
- Application updates
- Application error events
Audit Logs Provide detailed records of system and user activities. Useful for compliance and monitoring. - Data access events
- System change events
- User activity events
- Policy enforcement events
Network Logs Offer visibility into network traffic for troubleshooting and incident investigations. - Incoming network traffic
- Outgoing network traffic
- Connection logs
- Firewall logs
Access Logs Record access to resources like applications, databases, or APIs. - Web server access logs
- Database access logs
- Application access logs
- API access logs

Note: There can be various other types of logs depending on the different applications and the services they provide.

Now that we understand what these logs are and how various types of logs can be helpful in different scenarios, let’s see how we analyze these logs and extract valuable information required from them. Log Analysis is a technique for extracting valuable data from logs. It involves looking for any signs of abnormal or unusual activities. Searching for a specific activity or abnormalities in the logs with the naked eye is impossible.

Windows Event Logs Analysis

Like other operating systems, Windows OS also logs many of the activities that take place. These are stored in segregated log files, each with a specific log category. Some of the crucial types of logs stored in a Windows Operating System are:

  • Application: There are many applications running on the operating system. Any information related to those applications is logged into this file. This information includes errors, warnings, compatibility issues, etc.
  • System: The operating system itself has different running operations. Any information related to these operations is logged in the System log file. This information includes driver issues, hardware issues, system startup and shutdown information, services information, etc.
  • Security: This is the most important log file in Windows OS in terms of security. It logs all security-related activities, including user authentication, changes in user accounts, security policy changes, etc.

Besides these, several other log files in the Windows operating system are designed for logging activities related to specific actions and applications.

Unlike other log files studied in the previous tasks, which had no built-in application to view them, Windows OS has a utility known as Event Viewer, which gives a nice graphical user interface to view and search for anything in these logs.

To open Event Viewer, click on the Start button of Windows and type Event Viewer. It will open the Event Viewer for you, as shown below. The highlighted area in the screenshot below shows the different available logs.

You can click Windows Logs from the highlighted section to see the different types of logs we discussed at the beginning of this task.
The first highlighted portion shows the different log files. When we click one of these log files, we will see the different logs, as can be seen in the second highlighted portion. Lastly, in the third highlighted portion, we have different options for analyzing the logs.

Let’s double-click on one of these logs to see its contents.

This is how a Windows event log looks. It has different fields. The major fields are discussed below:

  • Description: This field has a detailed information of the activity.
  • Log Name: The Log Name indicates the log file name.
  • Logged: This field indicates the time of the activity.
  • Event ID: Event IDs are unique identifiers for a specific activity.

Numerous event IDs are available in Windows event logs. We can use these event IDs to search for any specific activity. For example, event ID 4624 uniquely identifies the activity of a successful login, so you only need to search for this event ID 4624 when investigating successful logins.

Below is a list of frequently encountered Windows Security Event IDs and their corresponding descriptions. These are typically found in the Security log within Event Viewer and are crucial for monitoring account-related activities.

Event ID Description
4624 A user account successfully logged in
4625 A user account failed to login
4634 A user account successfully logged off
4720 A user account was created
4724 An attempt was made to reset an account’s password
4722 A user account was enabled
4725 A user account was disabled
4726 A user account was deleted

These events are especially important when performing security audits or investigating unauthorized access or account changes.

There are many more event IDs. It is not necessary to remember all of them, but it is good to remember the crucial event IDs.

Event Viewer allows us to search for the logs related to a specific event ID with its ‘Filter Current Log’ feature. We can click on this feature to apply any filter.

When we click on the ‘Filter Current Log’ option, we will be prompted to enter the event IDs we want to filter. In the screenshot below, I filtered the event ID 4624.

Once I hit the 'OK' button, I can see all the logs with the event ID: 4624. I can now view any of these logs by double-clicking them.

Web Server Access Logs Analysis

Every time we interact with a website—whether simply browsing, logging in, or uploading a file—we are generating requests to that web server. These requests are captured and stored in access logs maintained by the web server.

One of the most commonly used web servers is Apache, which stores its access logs in: /var/log/apache2/access.log

These logs are crucial for:

  • Monitoring website activity
  • Identifying abnormal behavior
  • Troubleshooting issues
  • Investigating security incidents

Sample Log Fields Explained

Below are the key fields typically found in a sample Apache access log entry:

Field Description
IP Address "172.16.0.1" – The IP address of the user making the request.
Timestamp "[06/Jun/2024:13:58:44]" – The exact date and time when the request was made.
HTTP Method "GET" – The action the user wants the server to perform (e.g., GET, POST, PUT, etc.).
URL "/" – The resource or endpoint that was requested.
Status Code "200" – The server’s response to the request. Examples:
  • 200 = OK
  • 404 = Not Found
  • 500 = Internal Server Error | | User-Agent | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3)... – Details about the user's operating system, browser, and device. |

Why This Matters

Access logs can help detect:

  • Unauthorized access attempts
  • Bot traffic
  • Suspicious upload or login activities
  • Web application attacks (e.g., SQL injection, XSS)

In the next steps, you’ll learn how to manually analyze access logs to extract this valuable information and recognize potential threats.

We can perform manual log analysis by using some command line utilities in the Linux operating system. The following are some commands that can be useful during manual log analysis.

cat is a popular utility for displaying the contents of a text file. We can use the cat command to display the contents of a log file, as they are typically in the text format.

root@kali$ cat access.log
172.16.0.1 - - [06/Jun/2024:13:58:44] "GET /products HTTP/1.1" 404 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
10.0.0.1 - - [06/Jun/2024:13:57:44] "GET / HTTP/1.1" 404 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
192.168.1.1 - - [06/Jun/2024:13:56:44] "GET /about HTTP/1.1" 500 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
Enter fullscreen mode Exit fullscreen mode

Most systems rotate the logs regularly. This rotation helps them create individual log files for specific timeframes and not carry them all in a single log file. But sometimes, we may need to combine two log files. The cat command-line utility can also be helpful in this case. We can combine the results of multiple files within one single file, as shown below.

root@kali$ cat access1.log access2.log > combined_access.log
Enter fullscreen mode Exit fullscreen mode

grep is a very useful command line utility that allows you to search for strings and patterns inside a log file. For example, you may need to search if a specific IP address is present in your log file. You can do this by using the following command: The following command will search the access.log file for the string ‘192.168.1.1’ and display all the lines with this string.

root@kali$ grep "192.168.1.1" access.log
192.168.1.1 - - [06/Jun/2024:13:56:44] "GET /about HTTP/1.1" 500 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
192.168.1.1 - - [06/Jun/2024:13:53:44] "GET /products HTTP/1.1" 404 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
192.168.1.1 - - [06/Jun/2024:13:46:44] "GET /about HTTP/1.1" 200 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
Enter fullscreen mode Exit fullscreen mode

The less command is helpful for handling multiple log files. You may need to analyze specific chunks one by one. For this, you can use the less command-line utility, which helps you view one page at a time.

root@kali$ less access.log
172.16.0.1 - - [06/Jun/2024:13:52:44] "GET /products HTTP/1.1" 404 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
10.0.0.1 - - [06/Jun/2024:13:48:44] "GET /about HTTP/1.1" 404 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
192.168.1.1 - - [06/Jun/2024:13:46:44] "GET /about HTTP/1.1" 200 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
Enter fullscreen mode Exit fullscreen mode

Use spacebar to move to the next page and b to the previous page.

After running this command, the logs would be displayed in pages, one after one, making it easy for manual analysis. If you wish to search for something in the logs, you can type / followed by the pattern you are searching for and hit enter.

Use n to navigate to the next occurrence of your search and N to navigate to the previous occurrence of your search.

📁 More resources available on GitHub

🔗 Connect on LinkedIn

✍️ Prepared by moh4med404 — inspired by the Cybersecurity 101 path on TryHackMe

Top comments (0)