Log generation and analysis is an important part of the IT industry. It is a process of reviewing, examining, and understanding log files like network and system log files to gain valuable insights. These are also helpful in cracking what went wrong and how to identify a cybersecurity attack. These security log files contain timestamps that provide details about what event happened when what event resulted in a particular failure or what went wrong. It is important to understand the different types of security log sources and therefore now let us look at the most common security log sources in detail.
1. Sysmon Logs
System Monitor (or Sysmon) is a free software tool/device driver from Microsoft which monitors and logs system activity to the Windows event log. It creates logs of various activities like process creation, network connection, file creation or modification, driver loads, raw disk access, remote threads, process memory access in one single place. It gets regular updates from Microsoft, with new features rolling in regularly. By analyzing these logs, any malicious activity can be easily identified and can help to understand how intruders try to operate on your network. The limitation is that it does not hide from adversaries and does not generate a log of events that it generates.
2. Windows Security Logs
It is a log that maintains security-related activities based on the system’s audit policy. It is a great tool to view attempted and successful unauthorized activities and to troubleshoot problems. The logs and policies are governed by the system administrator which means that he can delete specific logs, separate rights, and even clear the log. That means once the administrator’s account has been compromised, Security logs cannot be trusted. It also lists the login/logout activities, giving the account and IP address by which the system was logged into, privilege and policy changes, system events, and process tracking.
3. Windows System Logs
It is an event log of application and system events and also includes some error or warning messages. It helps in almost all kinds of troubleshooting for different windows problems. It records logs like Windows system components, like drivers and built-in interface components, and logs related to programs installed on the system. It also keeps track of logs of the system’s boot time. It uses event identifiers (IDs) to uniquely define the identifiable events that the computer can encounter. It sometimes shows basic errors that do not cause any harm but can be used by scammers to manipulate users to think that it is dangerous and then ask for their credentials making them think that they will repair it.
4. Netflow Logs
It is a network protocol developed by Cisco. It monitors network traffic flow and volume and collects IP traffic information from routers and switches. Using the Netflow Collector and Analyzer, it can be seen where the traffic is coming from and going to and how much traffic is being generated through interfaces. It monitors network bandwidth and traffic patterns. Network administrators can use Netflow logs to identify which users, protocols, or applications are consuming the most bandwidth and causes of network congestion.
5. PCAP Logs
Packet Capture (PCAP) is an Application Programming Interface(API) for collecting network traffic. It is used to capture packets and even save those captures to a file and reading files that contain saved packets. Applications include network statistics collection, security monitoring, and network debugging. It is supported across multiple software tools where the saved packed files can be fed to get analyzed user-friendly outputs. It can examine IP addresses, policies, domain names, IP types, timestamp, source ports, and much more.
6. Firewall Logs
It documents how the firewall deals with traffic types and provides insights into source and destination IP addresses, protocols, and port numbers. It also indicates when malicious activity is present in the network by identifying suspicious connections. Windows firewall log tells the time and date of the connection, kind of connection (TCP/UDP), the port used on your computer, dropped, or accepted packet. It also allows planning the bandwidth requirements based on the bandwidth usage across firewalls. It provides real-time information to the network administrator to find out any suspicious activity.
7. Proxy Logs
They contain the logs of users and applications that access your network. Along with website requests from users it also includes application or service requests. The information they track includes date and time, HTTP protocol version, the HTTP request method, content type, user agent, authenticated username of the client, client IP and source port, proxy action, requested resource, and a lot more. During an incident response, it is also possible to raise alerts based on the content of the proxy server logs.
8. Browser History Logs
Browser history is like a map of what and when you have visited different webpages and applications. They can leak a substantial amount of your data to determine what origins has the user been visiting. It can be exploited using various techniques like CSS color selectors (mostly patched in newer browsers), using cached data timing, by browser APIs, plugins can be hacked or network communications can be intercepted outside the machine. The browser logs tell the forensics the websites visited, timestamp, no. of times it was accessed, was data entered on it, or was something downloaded.
9. DNS Logs
It provides extremely detailed information about DNS data that is sent and received by the DNS server. DNS attacks include DNS hijacking, DNS tunneling, Denial-of-Service (DoS) attacks, Command and control, and cache poisoning. Hence, DNS logs help to identify information related to these attacks so that source could be found out. These include detailed data on records requested, client IP, request flags, zone transfers, query logs, rate timing, and DNS signing.