Week 9: Logs

Week-9: Log files

Windwos and Linux logs

Ali Jaddoa

Ali.Jaddoa@Roehampton.ac.uk


25/26
Week 9: Logs

Today's

An Introduction Logs Analysis: Windows and Linux

  • An overview of log files
  • Windows log files and event viewer
  • Event properties
  • Windows logon and account events
  • System log events

25/26
Week 9: Logs

An Introduction Logs Analysis


25/26
Week 9: Logs

What is a log file?

A digital record of events that occur in computing devices, systems and networks.

Examples of an event might include:

  • User login/logout (local and remote)
  • Software install / removal
  • System reboot time
  • Communication information between devices / network assets
  • Search activity in a browser

25/26
Week 9: Logs

Why are log files important?

Log files provide a critical audit trail and serve multiple purposes, including:

  • Diagnosing Problems: Resolving system issues through detailed insights.
  • Event Tracking: Documenting the sequence of system events.
  • Message Transactions: Capturing source and destination messaging details.
  • Anomaly Detection: Identifying unusual system performance and behaviour.
  • Threat Intelligence: Highlighting Indicators of Compromise (IoCs) for security analysis.
  • And as a source of pertinent analytical information.

25/26
Week 9: Logs

Activity: Provide examples of type of information that log files contain.


25/26
Week 9: Logs

How Important Are Log Files to Cybersecurity?

Log files are a valuable source of information in digital forensics, providing a detailed record of system activities. They play a crucial role in:

  • Timeline Analysis: Reconstructing events to determine when incidents occurred.
  • Network Activity Analysis: Monitoring traffic patterns and detecting suspicious activities.
  • Root Cause Analysis: Identifying the origin of security incidents.
  • Evidence Gathering: Providing critical data for legal and investigative purposes.

Log files are essential in investigating and responding to cyber-attacks, offering insights into the activities and behaviours of attackers on the system.


25/26
Week 9: Logs

Who Uses Log File Analysis?

  • System Administrators: Managing system operations and troubleshooting issues.
  • Security Analysts: Detecting, investigating, and responding to security incidents.
  • Application Developers: Debugging applications and improving performance.
  • Compliance Officers: Ensuring adherence to regulatory and organisational standards.
  • Business Analysts: Gaining insights into system usage and performance trends.

Log file analysis is essential across multiple roles, supporting both technical and strategic objectives.


25/26
Week 9: Logs

Activity: Log File Analysis After a Cyber-Attack

An organisation has been targeted by a cyber-attack, resulting in unauthorised access to a sensitive database. The security team must determine the scope of the attack and how the attackers gained access. The team starts by analysing the database server's log files, which record all database activities.

  • Tasks:
    1. Identify Information:
      • What key details can be extracted from the log files?
    2. Recommend Actions:
      • Based on the log file analysis, what actions should the security team take to respond to the attack?

25/26
Week 9: Logs

Log File Analysis and Response Actions

Information Obtained from Log Files:

  • Unusual login attempts, suspicious queries, or large data downloads.
  • Records showing access to the sensitive database.
  • Unauthorised or unexpected access patterns.

Actions the Security Team Can Take:

  • Identify and isolate the compromised system to prevent further damage.
  • Alert affected parties and relevant stakeholders.
  • Enhance security measures, such as updating access controls and applying security patches.

25/26
Week 9: Logs

Windows: Windows Log Files and Event Viewer


25/26
Week 9: Logs

Windows Log Files and Event Viewer

Windows Event Viewer is a built-in tool in the Windows operating system that provides a centralised location for viewing and managing system and application event logs. It helps monitor, troubleshoot, and analyse events generated by the system and running applications.

Types of Logs Collected by Event Viewer:

  • System Events: Information related to system components and hardware.
  • Application Events: Logs generated by applications running on the system.
  • Security Events: Details on security-related activities, such as login attempts and resource access.
  • Setup Events: Information related to system installations and updates.

25/26
Week 9: Logs

Windows Log Files and Event Viewer

width:1OO% center


25/26
Week 9: Logs

Windows Log Files and Event Viewer

Custom Views in Windows Event Viewer can be configured to capture specific events of interest, allowing irrelevant events to be excluded.

Since Windows generates thousands of events, custom views help streamline the analysis process, saving time and improving efficiency.


25/26
Week 9: Logs

Windows Log Files and Event Viewer

  • Application: Application-related events.
  • Security: Security activities (e.g., logins).
  • System: System component events.
  • Setup: Installation and update events.
  • Forwarded Events: Logs from other systems for central monitoring.

25/26
Week 9: Logs

Windows Log Files and Event Viewer

The Application log records events generated by applications or programs.

  • For example, a database program might log a file error here.
  • The specific events logged are determined by the application developers.

25/26
Week 9: Logs

Windows Log Files and Event Viewer

The Security log records events related to system security, including:

  • Valid and invalid logon attempts.
  • Resource usage activities, such as creating, opening, or deleting files and objects.
  • Administrators can configure which events are recorded. e.g., if logon auditing is enabled, all logon attempts will be captured.

25/26
Week 9: Logs

Windows Log Files and Event Viewer

The Setup log records events related to application and system setup processes, including installations and configurations.


25/26
Week 9: Logs

Windows Log Files and Event Viewer

The System log records events generated by Windows system components.

  • For example, it logs failures when a driver or system component does not load during startup.
  • The types of events recorded are predetermined by Windows.

25/26
Week 9: Logs

Windows Log Files and Event Viewer

The Forwarded Events log stores events collected from remote computers.

  • To collect these events, an event subscription must be created.

25/26
Week 9: Logs

Windows Log Files and Event Viewer

Applications and Services Logs: These logs store events from a single application or component, rather than events that affect the entire system.


25/26
Week 9: Logs

Windows Log Files and Event Viewer

  • The Subscriptions category refers to devices configured to receive forwarded events.

  • Once a subscription is created, events related to the remote device are captured in the Subscription log.


25/26
Week 9: Logs

Windows Log Files and Event Viewer: Event Properties

width:1OO% center


25/26
Week 9: Logs

Windows Log Files and Event Viewer: Event Properties-1

Property Name Description
Source The software that logged the event. This can be a program name (e.g., "SQL Server") or a system/component name (e.g., a driver like "Elnkii" for EtherLink II). The Event ID and Source help product support troubleshoot system issues.
Event ID A unique number identifying the event type. For example, 6005 indicates when the Event Log service starts, with the description: "The Event log service was started."
Level Classification of event severity:
- Information: Successful operations or changes (e.g., service started).
- Warning: Issues that may impact services or lead to more serious problems.
- Error: Problems affecting functionality outside the triggering component.
- Critical: Failures from which the component cannot recover.
Security log levels:
- Success Audit: Successful user right exercise.
- Failure Audit: Failed user right exercise.
User The username on whose behalf the event occurred. It shows the client ID if caused by a server process, or the primary ID if no impersonation is involved.
Operational Code Numeric value identifying the activity or point within an activity when the event was raised (e.g., initialization or closing).

25/26
Week 9: Logs

Windows Log Files and Event Viewer: Event Properties-2

Property Name Description
Log The name of the log where the event was recorded.
Task Category Represents a subcomponent or activity of the event publisher.
Keywords Categories or tags for filtering or searching events (e.g., "Network", "Security", or "Resource not found").
Computer The name of the computer where the event occurred. It may be the local computer's name, a remote computer that forwarded the event, or the computer's previous name if it was changed.
Date and Time The date and time when the event was logged.

25/26
Week 9: Logs

Logon vs. Account Log

Audit Logon/Logoff (Authentication) Events

  • Handles the creation and termination of sessions and access to resources.
  • Event ID Examples:
    • Windows XP: 5xx
    • Windows Vista and later: 46xx

Audit Account Log Events

  • Responsible for validating user credentials.
  • Event ID Examples:
    • Windows XP: 6xx
    • Windows Vista and later: 47xx

25/26
Week 9: Logs

Example Windows 10 Logon Events

Event ID Description
4624 Successful Local Logon
4624 Successful Network Logon
4634 Logoff Event
4625 Failed Logon Attempt

25/26
Week 9: Logs

Windows 10 Failed Logon Attempts

Failure Reason Event ID Failure Status Code
Bad username or password 4625 (Server 2008+) / 529 (Server 2003) N/A
Disabled accounts 4625 C0000072 or 531
Expired passwords 4625 C0000071 or 535
Expired accounts 4625 C0000193 or 532
Locked-out accounts 4625 C0000234 or 539

25/26
Week 9: Logs

Logon Type: Property -1

This value indicates how the account logged on to the system:

Logon Type Description Scenario/Usage
2 Interactive Logon at the console (e.g., keyboard and screen).
3 Network Access via network shares, mapped drives, or SMB.
4 Batch Scheduled tasks (Task Scheduler).
5 Service Service account logon for running Windows services.
7 Unlock Unlocking the workstation after it has been locked.

25/26
Week 9: Logs

Logon Type: Property-2

Logon Type Description Scenario/Usage
8 NetworkCleartext Network logon with credentials sent in plaintext.
9 NewCredentials RunAs logon, often used for administrative tasks.
10 RemoteInteractive Remote Desktop (RDP) sessions or Terminal Services.
11 CachedInteractive Logon with cached credentials (e.g., laptop offline).

25/26
Week 9: Logs

Monitoring Windows Event Logs for Security Incidents

  • Key Detection Areas:
  • Changes to Groups, Accounts, and Policies:
    • Monitor for unauthorised modifications in user groups, account permissions, and system policies.
  • Service Activity:
    • Detect services that have been stopped or started, which could indicate suspicious activity.

25/26
Week 9: Logs

Common Hacker Tactics:

  1. Exploit Windows Vulnerabilities: Gain initial access by exploiting system weaknesses.
  2. Kill Critical Services: Disable essential services, such as antivirus software, to avoid detection.
  3. Privilege Escalation: Add new user accounts and escalate their privileges for persistent control.
  4. Maintain Access: Implement backdoors or scheduled tasks to regain access after reboots.
  5. Access Restricted Files/Resources: Target sensitive data and critical system resources.

25/26
Week 9: Logs

Forensic Examination of System Logs: Indicators of Compromise (IoCs)

A forensic review of the system log can reveal critical indicators of compromise, including:

Indicator of Compromise (IoC) Description
Operating System Changes Unauthorised modifications to system files or configurations.
Hardware Configuration Adjustments Changes in hardware settings or new device installations.
Device Driver Installations Unexpected driver updates or installations that may indicate malicious activity.
Service Activity Unauthorised starting or stopping of system services.
New Account Creation Detection of newly created user accounts.
Account Privilege Changes Escalation of user privileges that could indicate an attempt to gain higher access.

25/26
Week 9: Logs

Starting and Stopping Services in Windows Event Logs

Event ID Description
7035 The Service Control Manager sends a stop signal to a service (logged in System Log).
7036 The Service Control Manager confirms the service has stopped (logged in System Log).

Changes to Accounts in Windows 10/11 Event Logs

Event ID Description
4720 Records the creation of a new account.
4738 Records changes made to existing accounts.
4722 Shows when accounts are activated.

25/26
Week 9: Logs

Changes to Group Membership in Windows Event Logs-1

Changes to group membership are common techniques attackers use to escalate privileges. The following table outlines relevant Event IDs for Windows Vista and later, as well as Windows XP/2003:

Vista+ Event ID Win XP/2003 Event ID Action -Indicated
4728 632 Member added to global security group
4729 633 Member removed from global security group
4732 636 Member added to local security group
4733 637 Member removed from local security group
4746 650 Member added to local distribution group
4747 651 Member removed from local distribution group
4751 / 4761 655 Member added to global distribution group
4752 656 Member removed from global distribution group

25/26
Week 9: Logs

Changes to Group Membership in Windows Event Logs-2

Vista+ Event ID Win XP/2003 Event ID Action Indicated
4756 660 Member added to universal security group
4757 661 Member removed from universal security group
N/A 665 Member added to universal distribution group
4762 666 Member removed from universal distribution group

25/26
Week 9: Logs

Benefits and Limitations of Log Files in Cybersecurity and Digital Forensics

Benefits Limitations
Utilised in various areas of cybersecurity and digital forensics. Must be correctly configured to capture relevant data.
Automated data collection saves time and effort. Log files require proper management as their size increases.
Provides extensive detail for thorough analysis. Must be protected from deletion and restricted to authorised access.
Extremely powerful when accurately analysed. Large volumes of data can overwhelm, making analysis complex.

25/26
Week 9: Logs

Linux: Logs Analysis


25/26
Week 9: Logs

Linux Systems Stracture

The /var directory stores variable data essential for system processes and runtime operations.

Directory Description
/var/run Current system state and running services.
/var/lock Prevents simultaneous resource access.
/var/log System, authentication, and application logs.
/var/tmp Temporary files kept after reboots.

25/26
Week 9: Logs

What Do the Contents of a Log Look Like?

Example: /var/log/kern.log

$ head /var/log/kern.log
Jul 10 15:01:36 SpiderMan kernel: [ 5.052266] wlanO: authenticate with 10:bf:48:53:c7:90
Jul 10 15:01:36 SpiderMan kernel: [ 5.055880] wlanO: send auth to 10:bf:48:53:c7:90 (try 1/3)
Jul 10 15:01:36 SpiderMan kernel: [ 5.058578] wlanO: authenticated
Jul 10 15:01:36 SpiderMan kernel: [ 5.058631] wlanO: waiting for beacon from 10:bf:48:53:c7:90
Jul 10 15:01:36 SpiderMan kernel: [ 5.109448] wlanO: associate with 10:bf:48:53:c7:90 (try 1/3)

$ cat /var/log/dmesg
[0.177904] PM: Registering ACPI NVS region [mem 0x49f4e000-0x49f54fff] (28672 bytes)
[0.178401] regulator-dummy: no parameters
[0.178426] RTC time: 22:01:31, date: 07/10/14   <-- notice time comes in eventually!
[0.178448] NET: Registered protocol family 16

25/26
Week 9: Logs

Common Linux Log Files

Log File Description
/var/log/apache/error.log Records server errors and diagnostics.
/var/log/apache/access.log Tracks all processed server requests.
/var/log/auth.log Logs all authentication attempts.
/var/log/wtmp.log Login/logout/reboot events (use last to read).
/var/log/lastlog.log Last login times (use lastlog to read).
/var/log/messages.log System messages, including startup details.
/var/log/dmesg.log Kernel events and boot-time hardware detection.
/var/log/mysqld.log Logs for MySQL database server activity.
/var/log/daemon.log Tracks system and application daemons.

Note: Many more logs exist depending on system configuration and installed services.


25/26
Week 9: Logs

Interaction with Linux Log Files

1. Manual

2. Automated


25/26
Week 9: Logs

1. Interaction with Linux Log Files Manual

Command Function
cd /var/log Change to the log directory where most logs are stored.
nano example.log Edit the specified log file.
less example.log View the content of a log file.
head -n 20 example.log View the first 20 lines of the file.
tail -n 20 example.log View the last 20 lines of the file.
tail -f example.log Watch live changes in a log (exit with Ctrl+C).
grep "root" example.log Search for the string 'root' and display matching lines.
  • Using grep (Keywords)
    • Pipe output to less for easier reading:
      grep "root" example.log | less

25/26
Week 9: Logs

Challenges of Manual Interaction

  • Mundane Process: Repetitive and time-consuming tasks.
  • Event Overlook: Easy to miss both minor and critical events.
  • Data Overload: Large volumes of data can be overwhelming.
  • High Data Velocity: Logs are generated too quickly for manual tracking, especially in busy environments.

25/26
Week 9: Logs

2. Interaction with Linux Log Files: Automated

Tool Description
Graylog Open-source tool for centralised log management and analysis.
Nagios Provides monitoring for systems, networks, and infrastructure.
LOGalyze Real-time event correlation and alerting tool.
Fluentd Collects, processes, and ships logs from various sources.
Elastic Stack (ELK) Elasticsearch, Logstash, and Kibana for powerful log analysis.

25/26
Week 9: Logs

2. Interaction with Linux Log Files: Automated with Programming

  • Python and other programming languages can automate interaction with log files through customised scripts.
  • They can enhance the functionality of specialised tools by integrating APIs or developing add-on modules.

25/26
Week 9: Logs

Lab


25/26

- Visit [this](https://padlet.com/alijaddoa/provide-examples-of-type-of-information-that-log-files-conta-5r6ue8rqofh9s7n3)

- Or scan :

![bg right 90%](../../figures/week_7qr_code.png)

Log file analysis is utilised by various professionals and organisations to monitor and analyse system and application logs, ensuring security, stability, and performance. Key users include: