Log File Monitoring and Alerting

February 28, 2019

Critical Security Logs to Review

Log management is an part of any server administrator’s responsibility and is an part of security solutions.

By monitoring log files, you can gain detailed insight on server security. If you want to take a proactive approach to server management, regular log file analysis is required.

Logs are main evidence of an attack, therefore it is so important not just collect logs, but analyse them and detect anomalies.

There you can find some tips on critical logs that you need for incident investigation and response.

What log sources to use?

  • Server operating system logs (Windows Events, syslog)
  • Access logs (nginx, apache)
  • Software logs (mysql, sqlserver)
  • Cloud logs (AWS cloud logs, Azure)
  • Security tools logs (anti-virus, fail2ban)
  • Outbound proxy logs
  • Business event logs (logins to admin, download reports)

Where to look for logs?

  • Linux OS and core applications: /var/log
  • Windows OS and core applications: Windows Event Log (Security, System, Application)
  • Application Logs: <custom paths>

What is interesting about Linux?

  • Successful user login ("accepted password", "accepted publickey", "session opened")
  • Failed user login ("authentication failure", "failed password")
  • adding a new ssh key
  • User log-off ("session closed")
  • User account change or deletion ("password changed", "new user", "delete user")
  • Sudo actions ("sudo: ...COMMAND=..." "FAILED su")
  • Service failure ("failed", "failure")
  • Cron logs
  • Mail logs

What is interesting about Windows?

  • Windows Events/Application
    • new product installed: 1033
  • Windows Events/Security
    • failed remote desktop logins on server: 4625
    • new user account created: 4720
    • user account enabled: 4722
    • user account changed: 4725, 4726, 4724, 4732
    • new services installed: 2000
  • Windows Events/Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
    • success Local logins on server: 21, 25
    • success Remote desktop logins on server: 21, 25
  • Windows Events/Microsoft-Windows-Windows Defender/Operational
    • virus detected: 1006-1009, 1116-1119
    • antivirus database updated: 2000
  • IIS Logs
    • c:\inetpub\logs\LogFiles\W3SVC*\*.log (Default path)
  • FTP Logs
    • c:\inetpub\logs\LogFiles\FTPSVC*\*.log (Default path)
  • Firewall logs if logging enabled
    • c:\WINDOWS\system32\LogFiles\Firewall\*.log

What is interesting about Web servers?

  • Excessive access attempts to non-existent files
  • Code (SQL, HTML) seen as part of the URL
  • Base64 encoded parameters
  • Access to extensions you have not implemented
  • Web service stopped/started/failed messages
  • Access to "risky" pages that accept user input
  • Look at logs on all servers in the load balancer pool
  • Error code 200 on files that are not yours
  • Error code 401, 403, 400, 500

What is interesting about Cloud?

  • Azure Monitor
  • Azure Security Center (tenant logs, resource logs)
  • Amazon Cloud Watch
  • AWS CloudTrail
  • AWS Load Balancing
  • AWS Network Log