Useful Log Files

Commonly Used Log Files in Incident Response

Log files are a cornerstone of incident response, providing a comprehensive record of system, user, and application activities. Below is a breakdown of essential log files, their typical locations, and their usage in identifying and mitigating security incidents.

1. Syslog

Location:

  • /var/log/syslog (Debian-based systems)

  • /var/log/messages (Red Hat-based systems)

Usage:

  • Cron Jobs: Monitor scheduled tasks to detect unauthorized or suspicious jobs.

  • Service Events: Track the starting, stopping, or crashing of services.

Example Commands:

  • View cron job execution:

    cat /var/log/syslog | grep "cron"

  • Check service restarts or failures:

    grep "service" /var/log/syslog

2. Access Logs

Location:

  • Apache: /var/log/apache2/access.log

  • Nginx: /var/log/nginx/access.log

Usage:

  • Detect Exploitation Attempts: Identify patterns of malicious access (e.g., SQL injection, directory traversal).

  • Monitor Sensitive Endpoints: Track access to admin panels or sensitive files.

Example Commands:

  • Search for POST requests (often used in data exfiltration or login attempts):

    cat /var/log/apache2/access.log | grep "POST"

  • Filter requests to specific endpoints:

    grep "/admin" /var/log/nginx/access.log

3. Authentication Logs

Location:

  • /var/log/auth.log (Debian-based systems)

  • /var/log/secure (Red Hat-based systems)

Usage:

  • Failed Logins: Detect brute force or credential stuffing attempts.

  • User Account Activity: Track new user creation, group changes, or privilege escalations.

Example Commands:

  • Search for failed login attempts:

    grep "Failed password" /var/log/auth.log

  • Check for successful root logins:

    grep "session opened for user root" /var/log/auth.log

4. Last Logon Information

Location:

  • /var/log/lastlog

Usage:

  • Review User Activity: Identify when each user last logged in.

  • Detect Dormant Accounts: Highlight inactive accounts that could be targeted for compromise.

Example Command:

  • View the last login time for all users:

    lastlog

5. Bash History

Location:

  • ~/.bash_history (User home directory)

Usage:

  • Command Review: Identify potentially malicious commands executed by users.

  • Recon and Persistence: Detect signs of privilege escalation, network scanning, or backdoor creation.

Example Command:

  • Review a user’s command history:

    cat ~/.bash_history

6. Application Logs

  • Web Application Logs: Stored in specific directories, such as /var/www/html/logs or within Docker containers.

  • Database Logs: MySQL logs (/var/log/mysql/) or PostgreSQL logs (/var/log/postgresql/).

Usage:

  • Error Logs: Detect failed queries or application errors that attackers may exploit.

  • Access Patterns: Identify unauthorized access or data exfiltration attempts.

Best Practices for Log Analysis in Incident Response

  1. Centralize Logs: Use centralized systems (e.g., ELK Stack, Splunk) to aggregate logs for easier correlation and analysis.

  2. Correlate Events: Cross-reference logs from multiple sources to build a comprehensive incident timeline.

  3. Preserve Logs:

    • Implement log rotation and backups to prevent tampering or loss.

    • Use immutable storage for critical logs.

  4. Automate Analysis: Leverage scripting and tools to quickly identify suspicious patterns:

    • Grep for keyword searches.

    • Awk for data extraction.

    • Journalctl for systemd logs:

      journalctl -u sshd --since "YYYY-MM-DD HH:MM"

Key Points

Log analysis is crucial for detecting and investigating security incidents. By understanding the purpose and content of key log files, incident responders can effectively reconstruct the sequence of events, identify malicious actions, and take appropriate remedial actions to secure the system.

PreviousBash_rc & Bash_profileNextHacked Web Server Analysis

Last updated