Log files are everywhere within your infrastructure and log files are the Phillips screwdriver of IT security. We use them all the time. And you're going to see a lot of questions on the exam. The challenge you with log type questions now. logs have all kinds of different names. They could be called event logs or security logs or audit logs or device logs.
I don't really care about that. logs can exist anywhere on a system where they exist Exactly. I don't know. I don't care. I can poke around and find logs based on whatever issue I'm running into. But logs can exist anywhere use if you're in Windows use Event Viewer.
If you're on a Mac use console if you're on a Linux system. There's so many logs and so many tools. I can't even wrap your head around what's all out there and available to you. What we're going to do in this episode though, is we're going to take a broader outlook at what logs really are. We're going to use a term that I've coined called the generic log look. And to make this work, we're going to break all of these different types of logs into two groups, I'm going to call them non network and network logs.
Let's take a look at both of those non network events are events that take place on a host. Even if that host is unplugged from a network. A network event is something that takes place on a host that has to deal with the communication between that host and something on the network. To take a look at some non network events, I like to break them into three groups. And in fact, most operating systems do to one group is what I'm going to call operating system events. So things like host starting host shutting down, reboots, stuff like that, maybe services starting maybe services, stopping maybe even services failing operating system updates.
If I plugged a thumb drive in with an update, it would log that type of information. Next are applications so if an applications installed, I'd like To have that logged if an application starts or if an application stops, or if an application crashes, I want all that kind of information to be logged on individual events. Last is security. So for me, the big one under security is log ons, I want to know if log on succeed or if log ons fail. And that's usually set up by you depending on what kind of information you told the operating system to monitor. So a generic example of a non network event would probably have a date, a time some kind of process ID or a source or something that is generating this particular event.
There may be an account associated with it, maybe a user account, maybe the system itself is doing this. Then there's some form of event number. Almost everybody has some kind of tracking of all the events that take place in a log file, and they'll usually give it some ID number. And last is an event description that actually describes What is going on? And what we want to see in that particular event. Now, network events are any events that take place between a host and something that's going on in the network.
I like to break this down into two groups. The first one are events that take place at the operating system or system level of that device to something else on the network. And the other one, and probably the biggest one there is, are things that happen to the applications that I'm sharing on this particular device out to the network. So one thing I need to warn you is that these two groups can overlap a little bit. So they're a little fuzzy. But let's go ahead and look at both of these events to the operating system or the system itself from the network would consist of simple stuff, like for example, if somebody's trying to remotely log in whether they fail or not.
If I've got a switch out there and somebody's trying to log into it, I would like to have a log of that particular event. The other one is events that take place on shared applications or resources. Now this is the big one. And you're going to see a lot of stuff on the exam that hits on this type of situation. For example, if I've got a web server, here's an example of one line one event from an Apache web server. Another one might be activity on a firewall.
So here's my router with the firewall features blocking some incoming traffic. So in these particular type of events, we're going to see hopefully, we'll see a date, we'll see a time we'll see some source address, that could be a MAC address or an IP address or it could be both depending on the application, we would have a destination. Now the destination is also going to be a Mac and an IP address. A lot of times the destination and source on that application are going to be the device itself, whatever its IP or MAC addresses. Last there's going to be some description of what is happening. This can vary dramatically depending on the application itself.
So on any given network, you've got to have all kinds of hosts laying all over the place, generating all kinds of logs. Now you need to read these logs, you've got to monitor them, you've got to see what's happening. So how do we go about doing that? Well, by default, pretty much every device on your network is going to have its own little log or log files all over the place, and you're going to be standing at some computer and you're gonna have to go to this computer, then that computer then that computer, and we call that decentralized. decentralized works fine for small organizations, but we often want to do a more centralized situation. In that case, you've got two choices.
Number one, you can have situations where all your different devices are literally sending all their log traffic to a central repository. Now that can be a big problem sometimes, especially if you've got a lot of traffic and it can slow down your network. What we tend to see more commonly is stuff like Like SNMP, where I have one system that goes out to all these different types of logs, looks for the information it needs, and then generates graphs, charts and the information that I need. In fact, monitoring is so important when it comes to logs, that it's very common for people to actually pay third parties to query all of their different devices, and use these third parties to do the monitoring. In fact, there's a whole industry called monitoring as a service. So it can be pretty interesting now, the exam itself has tons of questions that need you to read log files, if you stick with my generic log file conceptualization and separate non network from network type log files.
And while you need to know your applications and your protocols, you can get through these pretty easy. So what I want to do is go through a few examples. And I don't know let's start with something fun like a web server. Here I have two computers and in between them is router. Now I'm going to go ahead and put some IP addresses in here. So you've got an idea of how all this is laid out.
And now what I'm going to do is show you a log from this device way over here on the right. And we're going to give you three events on this particular log. So it's a SYN SYN ack and an X. So we know this is a network event, because we can see IP addresses and we can see port numbers. Now I'm going to ask you some questions. Question number one of those two computers.
Which one is a web server? Well, the answer is, is the one on the right, if we take a look, we can see from his log, he is receiving Port 80 traffic. So that shows us that that machine on the right is a web server. I have another question for you. Is this router blocking HTTP traffic? Well, the answer is no.
Because it's coming from the other side of the system. It's coming in so it is getting HTTP traffic. I've got another question. Is this router doing Nat? In this case? It absolutely has to be doing that.
Because if the traffic is coming from the machine on the left, it would have its IP address. But if you look very carefully, all we're seeing is the routers IP address coming to the system on the right. And one more question, is that router running DHCP? And the answer is, we don't know there's nothing within this particular log to give us an answer. That was fun. Let's do it again.
You just got a call from somebody who said someone downloaded a critical video file and probably corrupted it. So you get this log file to try to figure out what's happening here. Now, in this particular situation, we don't really know what protocol This is, or anything, but it's not critical, we can still answer the question, Who made the download here. So if we take a look, you'll see we've got two different users logging in Bob and Jane. And then if you take a look at the time, both of those users we're logged in at the time someone did a download of that particular mp4 file. So the problem is in this particular situation, you don't know, based on the time offset, who was the person it may have been Bob, or it may have been Jane, they were both logged in.
That was fun. Let's do it again. Now here is a rather painful looking log that came from a particular system. Now if we look at this, we have to come up with some idea of what would create this type of situation. So I'm going to give you some choices. Number one, do you think anti malware would cause this, what we're looking at in this particular case, you see the word checksum?
That's a big clue. So what it's telling us is that we have some virtual machine called webmail that has been changed, and it's stored a backup copy. So there's something about the files that are very important, so probably not an anti malware. What do you think it might be patch management In this particular case, we're not really patching anything, we're just letting people know that a files changed. So if I had some file integrity application, that might be a great example of this application in action. And I have to run this confirmer executable to make that particular change.
Absolutely permanent. logs are absolutely critical for good IT security, you're going to see a lot of questions on the exam that have you dealing with logs. Don't worry about how the log looks exactly. Don't worry about where it's coming from, necessarily. But understand that if you can break all log files into two different types of events, either network or non network events, it's gonna make your life a lot easier. And then take the time, know your protocols, and you'll be able to answer every one of those questions.
No problem.