=============================
Log Files
=============================
Nearly every system will create events or logs constantly which can be used to troubleshoot or analyse an IT system
Log files could range from zero to tens of thousands of entries - depending upon the system and the circumstances.
Care should be taken when requesting Log Files as these may be lengthy, unwieldy and an unnecessary waste of time and resources.
It is therefore important to understand:
You should:
Before you request for logs you should ask yourself:
=============================
Key logs of interest
=============================
Network Devices
Key areas of interest:
Router System Logs
These vary widley accoring to the make and manufaturer of the device.
Most domestic rout3ers provide a system log which may provide the following types of information:
Remote Access / VPN Logging
There are many ways to allow a user/computer to access a network remotely.
The most common approach is using the following technologies:
Each service may require a separate Server or Hardware Device (Router) to allow access and therefore the associate logs may be locted on several devices.
To centralise remote access connections the following technologies may be used, however these are normally found on larger/enterprise networks:
Regardless of the system being used, all remote access services will log (either locally or centrally) the following types of activity:
Remote Access Policies will also determine the level of access each uer has and when they are allowed to connect to the corporate network.
Proxy Logs
Larger Organisations may use a Proxy to gain access to the Internet from the internal, private network.
These devices/servers are designed to generate more comprehensive logs and may prove to be invaluable in an investigation.
Many also incorporate Firewall, Malware and Intrusion Detection Systems.
Examples of Proxy Logs may include:
Server Logs
Are likley to be vary big and retained (saved) on a scheduled basis by the administrator
Typical Server Logs of interest would include:
Servers may also have auditing implemented on specific areas to safeguard data or for compliance.
Server logs may be collected into a central point for ease of asministration.
Event Viewer
The built in log viewer application on every Windows device is Event Viewer.
It allows for administrative logs to be collected under these 4 categories:
However it is possible to customise your own view and to view specific applications and services on each computer.
By default Event Viewer only collects logs from the local machine but can be set up to collect logs from remote devices in order to dispay them in a central location.
Logs may be saved as .evtx files and loaded back into Event Viewer to analse.
Logs may then be filtered or sorted according to search requirements.
Third party tools are also available however these are often variations of Event Viewer.
Web Server Logs
A Web Server will log routing events like any other server.
However specific logs may include:
Web Servers are predominantly hosted on Linx Appache or Microsoft IIS platforms.
Although in different locations - logging and outputs are very similar for both systems.
Web Server Logs will contain detailed information baout connections made (or attempted) to the site.
File Server Logs:
Access to resources (network shares) is controlled through group memnbership and access control lists created and maintained by system administrators
User accounts are added to Security Groups to ease the administration of granting access to multiple users.
Permissions are normally granted based on either Discretionary Access Control (DAC) or Role Cased Access Control (RBAC) methods
In a workgroup access is controlled useing Local Users and Groups
In a Domain access is controlled using Kerberos hosted on a Domain Controller
Folders may be subject to auditing policies
Administrators may be abe to detail the number, type and location of files per userr, group, type and size etc. using file server resource management systems.
File Server Auditing
User access rights and permissions are subject to the Security Group they belong to.
In most cases a User belongs to the Default User Group (Everyone/Domain User) and when a network share is created will have Read permissions.
Permissions are then modified to suit the needs of the User or GroupThese are recorded in 'Local Users and Groups' in a Workgroup and in 'AD Users and Computers' in a Domain.
A File Server holds the Access Control List which allows the administrator to view, change and audit permissions
A systems administrator can easily see the Effective Access a particular user had to resource and which groups he/she belongs to.
The Security log on a File Server will indicate when a User has logged on (remotely or locally) and accessed a Folder/File (Event ID 5145)
If Auditing is enabled on the resource the administrator will get a more detailed file share log report which will 'track' the users activity (this feature is not on by default and will generally onky be used on specific Folders accross a network)
With User Event Viewer the administrator can view these audit reports but they are very detailed and may require specialist assistance.
File Server and Resource Management
Built in and 3rd party tools allow an administrator to quickly produce detailed reports about a uers data on the network.
This can include:
Reports may be generated on a scheduled basis (for monitoring) or on a one-off basis and tailored to meet the needs of an investigation.
The Domain Controller Logs
This is they key security logging service on a Domain. It is responsible for logging:
The Security Logs on a DC will be very large and therefore it is essential that filters are used to reduce the collateral and non-essential data.
Basic Filters may be used as a 'quick and easy' approach to filter by date/time and activity (Event IDs)
More complex filters are used to drill down into the logs and can be used to trawl through multiple logs for specific iems (User Accounts etc)