02 Dec 2022
Log Analysis Santa’s Naughty & Nice LogWindows logs available through Event Viewer.
Linux (Ubuntu/Debian) has OS logs and often software-specific logs (i.e. apache2) in /var/log. Ubuntu logs include:
auth.log - Authentication
dpkg.log - Package (software) Management
syslog - Background items, i.e. crontabs executing, services starting/stopping, log rotation, etc.
kern.log - Kernel. Changes to kernel, output from devices like network equipment and USB devices
Acronym I always forget - SIEM - Security Information and Event Management. Splunk is example of SIEM software, aggregates logs for analysis.
Default search location is current working directory.
grep options filename or path/filename.
Suggested search terms include: -device name -file name -user name -IP address -certain time or date
Common options include:
- -i case insensitive search
- -E use regex (regular expressions) i.e. “thm|tryhackme” to search for lines with either word
- -r recursive search (search all files in directory)
Deploy VM and search the logs. Feel like I cheated on two questions because I took an educated guess rather than finding concrete evidence. Had to watch the video and realized I thought about a search term but hadn’t tried it. Yeesh.