Understanding Logging (Security+ SY0-701 Series)

Study HallSecurity+
Written By Deirra Footman

This Post covers the following Exam Objectives:

  • 1.1 Compare & Contrast various types of Security Concepts

  • 1.2 Summarize Fundamental Security Concepts

Disclaimer: These are simply the notes I’ve taken while reviewing the OCG or a video series—they're not a complete study resource. Use this to supplement your studies. 🤗

Logs help security professionals investigate and determine the context (who, what, when, where etc) of an event or incident. Logging is a key part of a security strategy.

Types of Logs

  • Operating System/Endpoint Logs: Every operating system provides the ability to generate and store logs.

  • Windows: You can view logs using the Event Viewer in Windows.

    • Security Log: Functions as a security log, an audit log, and an access log. It records auditable events such as successes or failures. Some auditing is done by default, but administrators can add additional auditing.

    • System Log: Record events related to the functioning of the operating system.

    • Application Log: Records events sent to it by applications or programs running on the system. This includes warnings, errors, and routine messages.

  • Linux

    • Store logs in the /var/log/ directory

      • Logs can be viewed using the system log viewer or by using the cat command from the terminal.

      • Use /var/log/syslog and/or /var/log/messages (depends on OS Flavor) to view logs related to general system messages.

      • Use /var/log/secure to see logs related to authentication and authorization of user sessions

  • Network Logs: Network logs record traffic on network devices such as switches, routers, firewalls. These devices can be configured to log different types of information. Helps with troubleshooting connectivity and network access issues.

  • Firewall Logs: Firewall logs record every attempt to access the network and/or applications.

  • IDS/IPS Logs: IDS alert administrators to possible intrusions while IPS tries to block suspicious activity. Both record logs related to possible attacks.

  • Packet Captures: Leverges a packet capture tool (ex. Wireshark) to capture network traffic. Helpful when investigating an active security incident allowing you to review and reconstruct the data later.

  • Application Logs: Logs applications can capture

    • host: The IP address or hostname of the client requesting the page.

    • user-identifier: The name of the user requesting the page (if known).

    • authuser: The user’s logon name requested in the page, if the user logged on.

    • date: The date and time of the request.

    • request: The actual request line sent by the client.

    • status: The HTTP status code returned to the client.

    • bytes: The byte length of the reply.

  • Metadata: Metadata is data that provides information about other data. Many applications store metadata about files and messages such as when the file was created, when a message was sent etc.

Examples of Centralized Logging and Monitoring

SIEM Systems

A SIEM (Security Information and Event Management) system centralizes the collection, analysis, and management of security data from various systems, applications, and infrastructure devices. It combines Security Event Management (SEM) and Security Information Management (SIM) to provide real-time monitoring, analysis, and alerts for security incidents.

Key features include:

  • Log Collection: Gathers log data from various devices on the network and stores them in a searchable database.

  • Data Inputs: Logs come from firewalls, routers, intrusion detection/prevention systems, and other monitored systems like web servers and databases.

A SIEM dashboard gives administrators an overview of activity and alerts. A dashboard is commonly made up of:

  • Sensors: Agents placed on network systems collect logs and send them to the SIEM. The dashboard displays this incoming data.

  • Alerts: When predefined triggers are met, the system generates alerts, which appear on the dashboard and may also trigger responses like emails.

  • Correlation: The system analyzes and correlates log data, displaying it in various formats based on user preferences.

  • Trends: The system identifies patterns, such as increased failed logins, and presents them in graphical form for easy analysis.

Additionally, SIEM tools can provide the following:

  • Log Aggregation: Converts different log formats into a unified format for easier analysis.

  • Correlation Engine: Collects and analyzes log data to identify patterns and security events.

  • Automated Reports: Pre-defined and custom reports for monitoring network traffic, device events, threats, logins, and compliance.

  • User Behavior Analysis (UBA): Monitors user activity across applications and networks to detect anomalies.

  • Security Alerts: Predefined alerts provide continuous system monitoring and flag suspicious events.

  • Automated Triggers: Actions are executed in response to repeated security events.

  • Time Synchronization: Ensures all logs are timestamped accurately.

  • Archiving: Moves older logs to cost-effective storage while keeping them accessible if needed.

Understanding Syslog

The syslog protocol defines the format and transport of log entries. Systems that send syslog messages are

  • Originators: Devices or applications that send syslog messages

  • Collectors: System (syslog server)receives messages from external devices or local applications.

Key Point: The protocol only specifies message formatting and transmission, not how the syslog server processes the logs.

Deirra Footman
Next

Mastering Security Basics (Security+ SY0-701 Series)