Log generation and analysis is an important part of the IT industry. It is a process of reviewing, examining, and understanding log files like network and system log files to gain valuable insights. These are also helpful in cracking what went wrong and how to identify a cybersecurity attack. These security log files contain timestamps that provide details about what event happened when what event resulted in a particular failure or what went wrong. It is important to understand the different types of security log sources and therefore now let us look at the most common security log sources in detail.
1. Sysmon Logs
System Monitor (or Sysmon) is a free software tool/device driver from Microsoft which monitors and logs system activity to the Windows event log. It creates logs of various activities like process creation, network connection, file creation or modification, driver loads, raw disk access, remote threads, process memory access in one single place. It gets regular updates from Microsoft, with new features rolling in regularly. By analyzing these logs, any malicious activity can be easily identified and can help to understand how intruders try to operate on your network. The limitation is that it does not hide from adversaries and does not generate a log of events that it generates.
2. Windows Security Logs
It is a log that maintains security-related activities based on the system’s audit policy. It is a great tool to view attempted and successful unauthorized activities and to troubleshoot problems. The logs and policies are governed by the system administrator which means that he can delete specific logs, separate rights, and even clear the log. That means once the administrator’s account has been compromised, Security logs cannot be trusted. It also lists the login/logout activities, giving the account and IP address by which the system was logged into, privilege and policy changes, system events, and process tracking.
3. Windows System Logs
It is an event log of application and system events and also includes some error or warning messages. It helps in almost all kinds of troubleshooting for different windows problems. It records logs like Windows system components, like drivers and built-in interface components, and logs related to programs installed on the system. It also keeps track of logs of the system’s boot time. It uses event identifiers (IDs) to uniquely define the identifiable events that the computer can encounter. It sometimes shows basic errors that do not cause any harm but can be used by scammers to manipulate users to think that it is dangerous and then ask for their credentials making them think that they will repair it.
4. Netflow Logs
It is a network protocol developed by Cisco. It monitors network traffic flow and volume and collects IP traffic information from routers and switches. Using the Netflow Collector and Analyzer, it can be seen where the traffic is coming from and going to and how much traffic is being generated through interfaces. It monitors network bandwidth and traffic patterns. Network administrators can use Netflow logs to identify which users, protocols, or applications are consuming the most bandwidth and causes of network congestion.
5. PCAP Logs
Packet Capture (PCAP) is an Application Programming Interface(API) for collecting network traffic. It is used to capture packets and even save those captures to a file and reading files that contain saved packets. Applications include network statistics collection, security monitoring, and network debugging. It is supported across multiple software tools where the saved packed files can be fed to get analyzed user-friendly outputs. It can examine IP addresses, policies, domain names, IP types, timestamp, source ports, and much more.
6. Firewall Logs
It documents how the firewall deals with traffic types and provides insights into source and destination IP addresses, protocols, and port numbers. It also indicates when malicious activity is present in the network by identifying suspicious connections. Windows firewall log tells the time and date of the connection, kind of connection (TCP/UDP), the port used on your computer, dropped, or accepted packet. It also allows planning the bandwidth requirements based on the bandwidth usage across firewalls. It provides real-time information to the network administrator to find out any suspicious activity.
7. Proxy Logs
They contain the logs of users and applications that access your network. Along with website requests from users it also includes application or service requests. The information they track includes date and time, HTTP protocol version, the HTTP request method, content type, user agent, authenticated username of the client, client IP and source port, proxy action, requested resource, and a lot more. During an incident response, it is also possible to raise alerts based on the content of the proxy server logs.
8. Browser History Logs
Browser history is like a map of what and when you have visited different webpages and applications. They can leak a substantial amount of your data to determine what origins has the user been visiting. It can be exploited using various techniques like CSS color selectors (mostly patched in newer browsers), using cached data timing, by browser APIs, plugins can be hacked or network communications can be intercepted outside the machine. The browser logs tell the forensics the websites visited, timestamp, no. of times it was accessed, was data entered on it, or was something downloaded.
9. DNS Logs
It provides extremely detailed information about DNS data that is sent and received by the DNS server. DNS attacks include DNS hijacking, DNS tunneling, Denial-of-Service (DoS) attacks, Command and control, and cache poisoning. Hence, DNS logs help to identify information related to these attacks so that source could be found out. These include detailed data on records requested, client IP, request flags, zone transfers, query logs, rate timing, and DNS signing.
Attention reader! Don’t stop learning now. Get hold of all the important CS Theory concepts for SDE interviews with the CS Theory Course at a student-friendly price and become industry ready.
- Top 8 Free Dataset Sources to Use for Data Science Projects
- Types of Sources of Data in Data Mining
- Different Sources of Data for Data Analysis
- Difference between Cyber Security and Information Security
- Difference between Network Security and Cyber Security
- Difference between Information Security and Network Security
- How Security System Should Evolve to Handle Cyber Security Threats and Vulnerabilities?
- Common Sense tips for Mobile Security for End Users
- Most Common Threats to Security and Privacy of IoT Devices
- Top 5 Information Security Breaches
- Top 5 Common Mistakes in Technical On-site Interviews
- Log based Recovery in DBMS
- Log Injection
- What is Information Security?
- Hash Functions in System Security
- Active and Passive attacks in Information Security
- Port Security in Computer Network
- Meltdown Security Vulnerability
- Adaptive security appliance (ASA) features
- Spectre Security Vulnerability
If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to firstname.lastname@example.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.