Table of Contents

Understanding Logs
Collecting Logs
Log Management
Log Analysis
Windows Logs Analysis
Enable success and failure logging on all
categories
Auditing Windows Event Logs from command
line
Investigating Event logs with PowerShell
Auditing all the logs in the local PC
Auditing log providers
Listing log providers with 'powershell' as a
keyword
Listing events related to windows
powershell
Listing available logs containing given
keyword
Listing events on a specific log path
Finding process related information using a
given keyword about the process
listing application logs from WLMS provider
and generated at the given time
Displaying events logged for processes
initiated network connections.
listing security logs with sam as target
usrname and event id equals to 4724
listing security logs with event id equals to
400
listing logs from log file with event id = 104
and format as list displaying all events
properties
listing logs from log file with event id =
4104 with string 'ScriptBlockText' and
format as list displaying all events
properties
listing logs from log file with event id =13
with string 'enc' in the message field and
format as list displaying all events
properties
filtering events using time range
listing security logs with sam as target
usrname and event id equals to 4799
Listing accounts validation logs in the last
10 days
Auditing accounts logged on/off in the last
two days
Auditing access to file shares, file system,
SAM and registry in the last two days
Auditing the use of privilege
 Auditing system changes and integrity
events
Detecting the use of psexec
Investigating Logs with Sysmon and Powershell
Hunting for Metasploit events
Filtering for Network connections
Filtering for Network connections in format
list with maximum quantity of one
Filtering for process access events
specifically lsass.exe
Filtering for Alternate Data Streams events
Filtering for process hollowing events
Investigating IIS logs
Investigating Windows Event Logs with Timeline
explorer
Investigating Windows Event Logs with Sysmon
View
Windows Event IDs
Security
Sysmon Events
Linux Log Analysis
Manual Analysis
Auditing authentication logs
Auditing User login logs in Ubuntu
Auditing samba activity
Auditing cron job logs
 Auditing sudo logs
Filtering 404 logs in Apache
Auditing files requested in Apache
View root user command history
View last logins
Network Logs
Logs Centralization
SIEM
Syslog Protocol

Understanding Logs
Premise
Following security best practices, it is typical for a
modern environment to employ log forwarding. Log
forwarding means that the SOC will move or
“forward” logs from the host machine to a central
server or indexer. Even if an attacker can delete logs
from the host machine, they could already be off of
the device and secured.
Log entries are often given a severity level to
categorize and communicate their relative
importance or impact. These severity levels help
prioritize responses, investigations, and actions
based on the criticality of the events. Different
systems might use slightly different severity levels,
but commonly, you can expect to find the following
increasing severity levels: Informational, Warning,
Error, and Critical.
Log Files
Log files are records of events committed to a file in
a list format. They can include all sorts of information
about events that happened at a particular time.
Every device on the network creates log files, thus
giving you a history of what's been happening.
Logs typically contain five headed-up areas. They
are:

Timestamp –the time of the event.

Log level – how severe or important the event is.
Username– who caused the event.
Service or application – what caused the event.
Event description – what has happened.
Log file types
Event log –records information about the
usage of network traffic and tracks login
attempts, application events, and failed
password attempts.
System log (or syslog) – records operating
system events, including startup messages,
system changes, shutdowns, and errors and
warnings.
Server log – contains a record of activities in a
text document related to a specific server over a
 specific period of time.
Change log – lists changes made to an
application or file.
Availability log –tracks uptime, availability,
and system performance.
Authorization and access log – lists who is
accessing applications or files.
Resource log –provides information on
connectivity issues and any capacity problems.
Application Logs Messages about specific
applications, including status, errors, warnings,
etc.
Audit Logs Activities related to operational
procedures crucial for regulatory compliance.
Security Logs Security events such as logins,
permissions changes, firewall activity, etc.
Network Logs Network traffic, connections, and
other network-related events.
Database Logs Activities within a database
system, such as queries and updates.
Web Server Logs Requests processed by a web
server, including URLs, response codes, etc.

Collecting Logs
The process of log collection relies heavily on the
accuracy of your time settings therefore its
recommended to utilize the Network Time Protocol
(NTP) to achieve synchronization and ensure the
integrity of the timeline stored in the logs.
You can do so on Linux system manually by running
the below command

ntpdate pool.ntp.org

Log collection follows the below steps:

Source Identification: List all potential log

sources, such as servers, databases,
applications, and network devices.
Choosing a Log Collector: Example is Splunk or
rsyslog collector or Elastic Stack.
Configuring Collection Parameters: Ensure
that time synchronization is enabled
through NTP to maintain accurate timelines,
adjust settings to determine which events to log
at what intervals, and prioritize based on
importance.
Testing: Run a test to ensure logs are
appropriately collected from all sources.

Example | Log collection using Rsyslog

We can configure Rsyslog to collect specific logs
such as web server logs or ssh logs and forward
them to a specific file.
First ensure Rsyslog is installed on your machine

sudo systemctl status rsyslog

Next we navigate to the directory where rsyslog

holds logs and create a new log file

cd /etc/rsyslog.d
nano apache.logs

Then inside the file, type the below

YAML

$FileCreateMode 0644

:programname, isequal, "apache"

/var/log/websrv-02/rsyslog_apache.log

Restart

sudo systemctl restart rsyslog

Log Management
Log management includes securely storing logs,
providing storage capacity and ensuring swift and
quick retrieval of logs when needed. Also make sure
to conform to the retention period, backup your logs
regularly and conduct a periodic review.
Log Retention & Archival
Define log retention policies and implement them.
Don't forget to create backups of stored log data as
well.

Log Analysis
Definition
Log analysis examines and interprets log event data
generated by various data sources (devices,
applications, and systems) to monitor metrics and
identify security incidents.
Log analysis involves several steps that starts with
collecting, parsing, and processing log files to turn
data into actionable objectives. Then analysts would
correlate log data to find links and connections
between events to paint a story of what happened.
Creating a Timeline
A timeline is a chronological representation of the
logged events, ordered based on their occurrence.
Creating a timeline is important to construct the
series of events that eventually led to the security
incident which can aid analysis identify the initial
point compromise and understand the attacker's
tactics, techniques and procedures (TTPs).
Looking for patterns of security incidents
Multiple failed login attempts
Unusually high numbers of failed logins within a
short time may indicate a brute-force attack.
Unusual login times
Login events outside the user's typical access hours
might signal unauthorized access or compromised
accounts.
Geographic anomalies
Login events from IP addresses in countries the user
does not usually access can indicate potential
account compromise or suspicious activity.
In addition, simultaneous logins from different
geographic locations may suggest account sharing
or unauthorized access.
Frequent password changes
Log events indicating that a user's password has
been changed frequently in a short period may
suggest an attempt to hide unauthorized access or
take over an account.
Unusual user-agent strings
In HTTP traffic logs, requests from users with
uncommon user-agent strings that deviate from their
typical browser may indicate automated attacks or
malicious activities.
For example, by default, the Nmap scanner will log a
user agent containing "Nmap Scripting Engine."
The Hydra brute-forcing tool by default, will include "
(Hydra)" in its user-agent. These indicators can be
useful in log files to detect potential malicious
activity.
Attack Patterns and signatures
SQL Injection
When looking for patterns of SQL Injection, we try to
find evidence of SQL queries in the logs such as
UNION SELECT. Sometimes the SQL Payloads may
be URL-encoded, requiring an additional processing
step to identify it efficiently.
XSS
To identify common XSS attack patterns, it is often
helpful to look for log entries with unexpected or
unusual input that includes script tags and event
handlers (onmouseover, onclick, onerror).
Directory Traversal
To identify common traversal attack patterns, look
for traversal sequence characters (../ and ../../) and
indications of access to sensitive files
(/etc/passwd, /etc/shadow).

Windows Logs Analysis

Premise
Almost all event logging capability within Windows is
handled from ETW (Event Tracing for Windows) at
both the application and kernel level.
Event IDs are a core feature of Windows logging.
Events are sent and transferred in XML(Extensible
Markup Language) format which is the standard for
how events are defined and implemented by
providers.
Components of Event Tracing for Windows
ETW is broken up into three separate components,
working together to manage and correlate data.
Event logs in Windows are no different from
generic XML data, making it easy to process and
interpret.
From start to finish, events originate from the
providers. Controllers will determine where the data
is sent and how it is processed through sessions.
Consumers will save or deliver logs to be interpreted
or analyzed.
Event Controllers are used to build and configure
sessions. To expand on this definition, we can think
of the controller as the application that determines
how and where data will flow. From the Microsoft
docs, “Controllers are applications that define the
size and location of the log file, start and stop event
tracing sessions, enable providers so they can log
events to the session, manage the size of the buffer
pool, and obtain execution statistics for sessions.”
Event Providers are used to generate events. To
expand on this definition, the controller will tell the
provider how to operate, then collect logs from its
designated source. From the Microsoft docs,
“Providers are applications that contain event tracing
instrumentation. After a provider registers itself, a
controller can then enable or disable event tracing in
the provider. The provider defines its interpretation
of being enabled or disabled. Generally, an enabled
provider generates events, while a disabled provider
does not.”
Event Consumers are used to interpret events. To
expand on this definition, the consumer will select
sessions and parse events from that session or
multiple at the same time. This is most commonly
seen in the “Event Viewer”. From the Microsoft docs,
“Consumers are applications that select one or more
event tracing sessions as a source of events. A
consumer can request events from multiple event
tracing sessions simultaneously; the system delivers
the events in chronological order. Consumers can
receive events stored in log files, or from sessions
that deliver events in real time.”
Security Log
The Security log functions as a security log, an
audit log, and an access log. It records auditable
events such as successes or failures. Success
indicates an audited event completed successfully,
such as a user logging on or successfully deleting a
file. Failure means that a user tried to perform an
action but failed, such as failing to log on or
attempting to delete a file but receiving a permission
error instead.
Application Log
It records events sent to it by applications or
programs running on the system. Any application has
the capability of writing events in the Application log.
This includes warnings, errors, and routine
messages.
System Logs
It records
events related to the functioning of the operating
system. This can include when it starts, when it
shuts down, information onservices starting and
stopping, drivers loading or failing, or any other
system component event deemed important by the
system developers.

Enable success and failure logging on

all categories
You should enable logging on all workstations to be
able to collect and analyze logs. The below
command enables logging for all security and system
operations in cases of both success and failure. This
would create huge log file size

C:\> auditpol /set /category:*

/success:enable
/failure:enable

The below are commands separated by a new line

demonstrating enabling success and failure events
for different sorts of system and security categories.
C: \> auditpol /set /subcategory:
"Detailed File Share" /success:enable
/failure:enable

C:\> auditpol /set /subcategory:"File

System"
/success:enable /failure:enable

C:\> auditpol /set

/subcategory:"Security System Extension"
/success:enable /failure:enable

C:\> auditpol /set /subcategory:"System

Integrity" /success:enable
/failure:enable

C:\> auditpol /set

/subcategory:"Security State
Change" /success:enable /failure:enable

C:\> auditpol /set /subcategory:"Other

System
Events" /success:enable /failure:enable
C:\> auditpol /set /subcategory:"System
Integrity" /success:enable
/failure:enable

C:\> auditpol /set /subcategory:"Logon"

/success:enable /failure:enable

C:\> auditpol /set /subcategory:"Logoff"

/success:enable /failure:enable

C:\> auditpol /set /subcategory:"Account

Lockout" /success:enable /failure:enable

C:\> auditpol /set /subcategory:"Other

Logon/Logoff Events" /success:enable
/failure:enable

C:\> auditpol /set /subcategory:"Network

Policy
Server" /success:enable /failure:enable

C:\> auditpol /set

/subcategory:"Registry"
/success:enable /failure:enable
C:\> auditpol /set /subcategory:"SAM"
/success:enable /failure:enable

C:\> auditpol /set

/subcategory:"Certification
Services" /success:enable
/failure:enable

C:\> auditpol /set

/subcategory:"Application
Generated" /success:enable
/failure:enable

C: \> auditpol / set /subcategory:

"Handle
Manipulation" /success:enable
/failure:enable

C:\> auditpol /set /subcategory:"file

Share"
/success:enable /failure:enable

C:\> auditpol /set

/subcategory:"filtering Platform Packet
Drop" /success:enable /failure:enable
C:\> auditpol /set
/subcategory:"Filtering Platform
Connection" /success:enable
/failure:enable

C:\> auditpol /set /subcategory:"Other

Object Access Events" /success:enable
/failure:enable

C: \> auditpol /set /subcategory:

"Detailed File Share" /success:enable
/failure:enable

C: \> auditpol /set /subcategory:

"Sensitive Privilege Use"
/success:enable /failure:enable

C: \> auditpol /set /subcategory: "Non

Sensitive Privilege Use" /success:enable
/failure:enable

C: \> auditpol /set /subcategory: "Other

Privilege Use Events" /success:enable
/failure:enable
C:\> auditpol /set /subcategory:"Process
Termination" /success:enable
/failure:enable

C:\> auditpol /set /subcategory: "DPAPI

Activity" /success:enable
/failure:enable

C: \> audit pol /set /subcategory: "RPC

Events"
/success:enable /failure:enable

C:\> auditpol /set /subcategory:"Process

Creation" /success:enable
/failure:enable

C:\> auditpol /set /subcategory:"Audit

Policy
Change" /success:enable /failure:enable

C:\> auditpol /set /subcategory:

"Authentication Policy Change"
/success:enable /failure:enable
C:\> auditpol /set /subcategory:
"Authorization
Policy Change" /success:enable
/failure:enable

C: \> audit pol /set /subcategory:

"MPSSVC Rule-Level Policy Change"
/success:enable /failure:enable

C:\> auditpol /set

/subcategory:"Filtering Platform Policy
Change" /success:enable /failure:enable

C:\> auditpol /set /subcategory:"Other

Policy Change Events" /success:enable
/failure:enable

C:\> auditpol /set /subcategory:"User

Account
Management" /success:enable
/failure:enable

C:\> auditpol /set

/subcategory:"Computer Account
Management" /success:enable
/failure:enable

C:\> auditpol /set

/subcategory:"Security Group
Management" /success:enable
/failure:enable

C:\> auditpol /set

/subcategory:"Distribution Group
Management" /success:enable
/failure:enable

C:\> auditpol /set

/subcategory:"Application Group
Management" /success:enable
/failure:enable

C:\> auditpol /set /subcategory:"Other

Account
Management Events" /success:enable
/failure:enable
C:\> auditpol /set
/subcategory:"Directory Service Changes"
/success:enable /failure:enable
C: \> auditpol / set /subcategory:
"Directory Service Replication"
/success:enable /failure:enable

C:\> auditpol /set

/subcategory:"Detailed Directory Service
Replication" /success:enable
/failure:enable

C:\> auditpol /set

/subcategory:"Directory Service Access"
/success:enable /failure:enable

C:\> auditpol /set

/subcategory:"Kerberos Service Ticket
Operations" /success:enable
/failure:enable

C:\> auditpol /set /subcategory:"Other

Account Logan Events" /success:enable
/failure:enable

C: \> audit pol /set /subcategory:

"Kerberos
Authentication Service" /success:enable
 /failure:enable

C:\> auditpol /set

/subcategory:"Credential
Validation" /success:enable
/failure:enable

Auditing Windows Event Logs from

command line
Running it from the command line

wevtutil.exe

requesting the help menu

wevtutil.exe /?

You can start by copying the event logs into an

external log files so that you can investigate them
separately.
 C:\> wevtutil epl Security C:\<BACK UP
PATH>\mylogs.evtx
C:\> wevtutil epl System C:\<BACK UP
PATH>\mylogs.evtx
C:\> wevtutil epl Application C:\<BACK
UP
PATH>\mylogs.evtx

Auditing the application logs and returning 3 results,

descending order and text format

wevtutil qe Application /c:3 /rd:true

/f:text

Clear all logs

PS C:\> wevtutil el I Foreach-Object

{wevtutil cl "$_"}
Investigating Event logs with
PowerShell
Auditing all the logs in the local PC

[1]

PS C:\> Get-WinEvent -ListLog * |

Select-Object LogName, RecordCount,
IsClassicLog, IsEnabled, LogMode,
LogType | Format-Table -AutoSize

[2]

PS C:\> Get-Eventlog -list

Auditing log providers

Get-WinEvent -ListProvider * | Format-

Table -Autosize
Listing log providers with 'powershell' as
a keyword

Get-WinEvent -ListProvider *PowerShell

Listing events related to windows

powershell

Get-WinEvent -ListProvider Microsoft-

Windows-PowerShell | Format-Table Id,
Description

Listing available logs containing given

keyword

Get-WinEvent -ListLog * | findstr “kw”

Listing events on a specific log path

Get-WinEvent -FilterHashtable
@{logname=”Microsoft-Windows-
PrintService/Admin”} | fl -property *

Finding process related information using

a given keyword about the process

Get-WinEvent -Path .\file.evtx -

FilterXPath ‘*/System/EventID=1’ |
Sort-Object TimeCreated | Where-Object
{$_.Message -like “*kw*”} | fl
listing application logs from WLMS
provider and generated at the given time

Get-WinEvent -LogName Application -

FilterXPath
'*/System/Provider[@Name="WLMS"] and
*/System/TimeCreated[@SystemTime="2020
-12-15T01:09:08.940277500Z"]'

Displaying events logged for processes

initiated network connections.

**Get-WinEvent -Path .\file.evtx -

FilterXPath ‘*/System/EventID=3’ |
Sort-Object TimeCreated | fl**
listing security logs with sam as target
usrname and event id equals to 4724

Get-WinEvent -LogName Security -

FilterXPath
'*/EventData/Data[@Name="TargetUserNam
e"]="Sam" and */System/EventID=4724'

listing security logs with event id equals

to 400

Get-WinEvent -LogName Security -

FilterXPath '*/System/EventID=400'
listing logs from log file with event id =
104 and format as list displaying all
events properties

Get-WinEvent -Path .\merged.evtx -

FilterXPath '*/System/EventID=104' |
fl -property *

listing logs from log file with event id =

4104 with string 'ScriptBlockText' and
format as list displaying all events
properties

Get-WinEvent -Path .\merged.evtx -

FilterXPath '*/System/EventID=4104 and
*/EventData/Data[@Name="ScriptBlockTex
t"]' | fl -property *

listing logs from log file with event id =13

with string 'enc' in the message field and
format as list displaying all events
properties

Get-WinEvent -Path .\file.evtx -

FilterXPath ‘*/System/EventID=13’ |
Sort-Object TimeCreated | Where-Object
{$_.Message -like “*enc*”} | fl

filtering events using time range

$startdate = Get-Date -Date "date"

$end-date = Get-Date -Date "date"
Get-WinEvent -Path .\file.evtx -
FilterXPath ‘*/System/*’ | Where-
Object { $_.TimeCreated -ge $startdate
-and $_.TimeCreated -le $endtime
} | Sort-Object TimeCreated
 $date = Get-Date -Date "date"
Get-WinEvent -Path .\file.evtx -
FilterXPath ‘*/System/*’ | Where-
Object { $_.TimeCreated -like $date }
| fl

listing security logs with sam as target

usrname and event id equals to 4799

PS C:\> Get-WinEvent -LogName Security

-FilterXPath '*/System/EventID=4799'

Listing accounts validation logs in the

last 10 days

PS C:\> Get-Eventlog Security

4768,4771,4772,4769,4770,4649,4778,477
9,4800,4801,4802,4803,5378,5632,5633 -
after ((get-date).addDays(-10))
Auditing accounts logged on/off in the
last two days

PS C:\> Get-Eventlog Security

4625,4634,4647,4624,4625,4648,4675,627
2,6273,6274,6275,6276,6277,6278,6279,6
280,4649,4778,4779,4800,4801,4802,4803
,5378,5632,5633,4964 -after
((getdate).addDays(-2))
Auditing access to file shares, file
system, SAM and registry in the last two
days

PS C:\> Get-EventLog Security

4671,4691,4698,4699,4700,4701,4702,514
8,5149,5888,5889,5890,4657,5039,4659,4
660,4661,4663,4656,4658,4690,4874,4875
,4880,4881,4882,4884,4885,4888,4890,48
91,4892,4895,4896,4898,5145,5140,5142,
5143,5144,5168,5140,5142,5143,5144,516
8,5140,5142,5143,5144,5168,4664,4985,5
152,5153,5031,5140,5150,5151,5154,5155
,5156,5157,5158,5159 -after ((get-
date).addDays(-2))

Auditing the use of privilege

PS C:\> Get-EventLog Security

4672,4673,4674 -after ((get-
date),addDays(-1))
Auditing system changes and integrity
events

PS C:\> Get-Eventlog Security

5024,5025,5027,5028,5029,5030,5032,503
3,5034,5035,5037,5058,5059,6400,6401,6
402,6403,6404,6405,6406,6407,4608,4609
,4616, 4621, 4610, 4611,
4614,4622,4697,4612,4615,4618,4816,503
8,5056,5057,5060,5061,5062,6281 -after
((get-date).addDays(-1))

Detecting the use of psexec

Get-WinEvent -FilterHashTable
@{Logname='System';ID='7045'} | where
{$_.Message.contains("PSEXEC")}
Investigating Logs with Sysmon and
Powershell
Hunting for Metasploit events

Get-WinEvent -Path .\Filtering.evtx -

FilterXPath '*/System/EventID=3 and
*/EventData/Data[@Name="DestinationPor
t"] and */EventData/Data=4444'

Filtering for Network connections

Get-WinEvent -Path .\Filtering.evtx -

FilterXPath '*/System/EventID=3'
Filtering for Network connections in
format list with maximum quantity of one

Get-WinEvent -Path .\Filtering.evtx -

FilterXPath '*/System/EventID=3' -
MaxEvents 1 -Oldest | fl -property *

Filtering for process access events

specifically lsass.exe

Get-WinEvent -Path <Path to Log> -

FilterXPath '*/System/EventID=10 and
*/EventData/Data[@Name="TargetImage"]
and
*/EventData/Data="C:\Windows\system32\
lsass.exe"'
Filtering for Alternate Data Streams
events

Get-WinEvent -Path <Path to Log> -

FilterXPath '*/System/EventID=15'

Filtering for process hollowing events

Get-WinEvent -Path <Path to Log> -

FilterXPath '*/System/EventID=8'

Investigating IIS logs

Importing the cmdlet

PS C:\> add-pssnapin WebAdministration

PS C:\> Import-Module
WebAdministration

Auditing website info

 PS C:\> Get-IISSite

Auditing the IIS logs file location

PS C:\> (Get-WebConfigurationProperty
'/system.applicationHost/sites/siteDef
aults' -Name
'logfile.directory').Value

Its common practice to store the value of the log

path in a variable for easy of use in later commands.
The path may change according to your environment

PS C:\> $LogDirPath =
"C:\inetpub\logs\LogFiles\srvname"

Viewing the logs

 PS C:\> Get-Content $LogDirPath\*.log
I%{$_ -replace '#Fields: ', "} |?{$_ -
notmatch ""#'}|
ConvertFrom-Csv -Delimiter ''

If there is a specific log file from which you want to

extract logs, use the below command

PS C:\> Get-Content iis.log I%{$_ -

replace '#Fields: ', ''}|?{$_ -
notmatch 'A#'}|
ConvertFrom-Csv -Delimiter ' '

Extracting an IP pattern

PS C:\> Select-String -Path

$LogDirPath\*.log -
Pattern '192,168.*.*'

Hunting SQL Injection Patterns

 PS C:\> Select-String -Path
$LogDirPath\*.log
'(@@version) | (sqlmap) | (Connect\
(\)) | (cast\() | (char\() | ( bcha r\
() | ( sys
databases) | ( \ (select) | (convert\
() | ( Connect\ () | ( count\() | (sys
objects)'

Investigating Windows Event Logs with

Timeline explorer
Timeline explorer is a log analysis program that
has graphical user interface. Log files need to be in
CSV format and can be imported for analysis.
To convert an audit trail exported from windows
event logs to csv, apply the below command

.\EvtxECmd.exe -f
'C:\Users\user\Desktop\sysmon.evtx' --
csv 'C:\Users\user\Desktop\' --csvf
sysmon.csv
The above command uses EvtxECmd.exe to perform
the process.
The below figure shows the logs after importing
them to Timeline Explorer

we can use the search bar on the upper right to

search the logs for any string.

Investigating Windows Event Logs with

Sysmon View
SysmonView is a Windows GUI-based tool that
visualises Sysmon Logs.
Before using this tool, we must export the log file's
contents into XML via Event Viewer as shown below
Once the xml file is created, import it into sysmon
view

Go to File > Import Sysmon Event Logs then

choose the XML files generated using the Event
Viewer.
Once loaded, the left sidebar has search
functionality that can filter a specific process in
mind.
Choose the image path and session GUID to
render the mapped view.
As shown below with green highlighter, you can
search or select the executable you want to
investigate.
Windows Event IDs
Security

Group policy modification

Event ID 4719
Event ID 4739
User created or added
Event ID 4720
User successfully authenticated
Event ID 4625
Account logon
Event ID 4624
Account logoff
Event ID 4634
Process creation
Event ID 4688
Execution blocked due to restrictive policy
Event ID 4100
Member added to a universal security group
Event ID 4104
Member added from a universal security
group
Event 4756
Member removed to a global security group
Event ID 4757
Member removed from a global security group
Event ID 4728
Event ID 4729
Pass The Hash
Passing the hash will generate 2 Event ID 4776
on the Domain Controller, the first event 4776 is
generated during the authentication of the
victim computer, the second event 4776
indicates the validation of the account from the
originating
computer (infected host), when accessing the
target workstation (victim).
Event ID 4776
Event ID 4624 with a Logon Process of
NtLmSSP and/or an Authentication Package of
NTLM.
Account Lockout
Event ID 4625 and/or Event ID 4740.
Windows Security audit log was cleared
 Event ID 1102
Log file was cleared
Event ID 104
Windows Event Log service was shut down
Event ID 1100
Powershell script block execution
Event ID 4104
Powershell command invocation
Event ID 4103

Sysmon Events
Event ID 1: Process Creation
Event ID 5: Process Terminated
Event ID 3: Network Connection
Event ID 7: Image Loaded
Event ID 8: CreateRemoteThread [Persistence
operations - process migration]
Event ID 11: File Created
Event ID 12 / 13 / 14: Registry Event
Event ID 15: FileCreateStreamHash
Event ID 22: DNS Event
Event ID 13: Registry Value Set
Event ID 4720: New user created
Event ID 4103 : Powershell logging enabled
Event ID 4732: A member was added to a group
Event ID 4624: Pass The Hash
Linux Log Analysis
var/log/syslog
The syslog file stores all system activity,
including startup activity. Note that this is not the
syslog protocol used to collect log entries from other
systems.
var/log/messages
This log contains a wide variety of general
system messages. It includes some messages
logged during startup, some messages related to
mail, the kernel, and messages related to
authentication.
var/log/boot.log
This log includes entries created when the
system boots.
var/log/auth.log
The authentication log contains information
related to successful and unsuccessful logins.
var/log/faillog
This log contains information on failed login
attempts. It can be viewed using the faillog
command.
/var/log/kern.log
The kernel log contains information logged
by the system kernel, which is the central part of the
Linux operating system.
/var/log/httpd/
If the system is configured as an Apache web
server, you can view access and error logs within
this directory.

Web Servers:
Nginx:
Access
Logs: /var/log/nginx/access.log
Error
Logs: /var/log/nginx/error.log
Apache:
Access
Logs: /var/log/apache2/access.log
Error
Logs: /var/log/apache2/error.log
Databases:
MySQL:
Error
Logs: /var/log/mysql/error.log
PostgreSQL:
Error and Activity
Logs: /var/log/postgresql/postgres
ql-{version}-main.log
Web Applications:
PHP:
Error Logs: /var/log/php/error.log
 Operating Systems:
Linux:
General System
Logs: /var/log/syslog
Authentication
Logs: /var/log/auth.log
Firewalls and IDS/IPS:
iptables:
Firewall Logs: /var/log/iptables.log
Snort:
Snort Logs: /var/log/snort/

Manual Analysis
Auditing authentication logs

# tail /var/log/auth. log

# grep -i "fail" /var/log/auth. log

Auditing User login logs in Ubuntu

tail /var/
Auditing samba activity

grep -i samba /var/log/syslog

Auditing cron job logs

grep -i cron /var/log/syslog

Auditing sudo logs

grep -i sudo /var/log/auth. log

Filtering 404 logs in Apache

grep 404 apache-logs.log | grep -v -E

"favicon. ico I robots. txt"

Auditing files requested in Apache

head access_log | awk '{print $7}'

View root user command history

# cat /root/.*history

View last logins

last

Network Logs
Network logs record traffic on the network. These
logs are on a variety of devices such as routers,
firewalls, web servers, and network intrusion
detection/prevention systems. You can typically
manipulate these devices to log specific information,
such as logging all traffic that the device passes, all
traffic that the device blocks, or both. These logs are
useful when troubleshooting connectivity issues and
when identifying potential
intrusions or attacks.
Logs Centralization
SIEM
Definition
A security information and event management (SIEM)
system provides a centralized solution for collecting,
analyzing, and managing data from multiple sources.
How it works

The SIEM collects log data from devices

throughout the network and stores these logs in
a searchable database. Log entries come from
various sources, such as firewalls, routers,
network intrusion detection and prevention
systems, and more. They can also come from
any system that an organization wants to
monitor, such as web servers, proxy servers,
and database servers.
The SIEM system collects data from multiple
systems, and these systems typically format log
entries differently. However, the SIEM system
can aggregate the data and store it so that it is
easy to analyze and search. SIEM uses
correlation engine is a software component
used to collect and analyze event log data from
various systems within the network.
 A SIEM typically comes with predefined alerts,
which can provide continuous monitoring of
systems and provide notifications of suspicious
events. For example, if it detects a port scan on
a server, it might send an email to an
administrator group or display the alert on a
heads-up display. SIEMs also include the ability
to create new alerts.
SIEMs also include automated triggers. Triggers
cause an action in response to a predefined
number of repeated events. As an example,
imagine a trigger for failed logons is set at five.
If an attacker repeatedly tries to log on to a
server using Secure Shell (SSH), the server’s log
will show the failed logon attempts. When the
SIEM detects more than five failed SSH logons,
it can change the environment and stop the
attack. It might modify a firewall to block these
SSH logon attempts or send a script to the
server to temporarily disable SSH. A SIEM
includes the ability to modify predefined triggers
and create new ones.

Syslog Protocol
Definition
The syslog protocol specifies a general log entry
format and the details on how to transport log
entries. You can deploy a centralized syslog server
to collect syslog entries from a variety of devices in
the network, similar to how a SIEM server collects log
entries.
How it works
Any systems sending syslog messages are
originators. They send syslog log entries to a
collector (a syslog server). The collector can receive
messages from external devices or services and
applications on the same system. For example, Linux
systems include the syslogd daemon, which is the
service that handles the syslog messages. It collects
the entries and processes them based on entries in
the /etc/syslog.conf file. Many syslog messages
are routed to the /var/syslog file.
Syslog Software Tools For Linux

Syslog-ng extends syslogd, allowing a system to

collect logs from any source. It also includes
correlation and routing abilities to route log entries to
any log analysis tool. It provides rich filtering
capabilities, content-based filtering, and
can be extended with tools and modules written in
other languages. It supports TCP and TLS.

Rsyslog came out later as an improvement over

syslog-ng. One significant change is the ability to
send log entries directly into database engines. It
also supports TCP and TLS.
Syslog Software Tools For Windows

NxLog-ng functions as a log collector, and it can

integrate with most SIEM systems.