Logging
Last updated
Last updated
Detailed lists of application information, system performance statistics and user activity
Can be useful to keep track of computer use, network activity, security issues and error reports
Actions generate events which are logged on many devices
Impractical to review these locally
Available on unix and linux
Can be used on windows
Uses UDP 514 by default TCP 514 can be used for more reliability
Some more secure standards require TCP 6514 is used
Made up for 3 components: priority value, header and message.
Derived from facility code and severity level
Use (facility code * 8 ) + Severity Value = PRI
Contains information like timestamps, hostnames, application names, message IDs.
Each message can either be plane text or machine readable
First label is function/facility. For example, mail servers usually use the mail facility.
Second label specifies the severity level.
The action is then specified which is usually a file in /var/log.
Binary files with the .evtx extension
Stored locally in the windows directory of an operating system.
%WinDir%\system32\Config*.evt
%WinDir%\system32\WinEVT\Logs*.evtx
Keep a detailed log of the majority of events
Registered events include: Application, System, Security, Directory service, DNS and File Replication.
Information about events which relate to the Windows Security Audit Policies
Account logon events
Account Management
Privilege use
Account Management
Resource Usage
Windows system service and device driver.
Monitor and log system activity
Logs process creation with fill command line for both current and parent processes
Includes session GUID
Logs loading of drivers and DLLs with their signatures and hashes
Optionally logs network connections.
Detects changes in file creation time.
Rule filtering to include or exclude certain events
Download sysmon, go to directory and run sysmon -i
Azure is usually monitored through Azure monitor and Log Analytic Workspace.
Can automatically acquire logs from lots of devices
Azure can be connected to lots of different siem platforms
Uses kusto query language (KQL)
Osquery is a universal and open source project developed by facebook
Its an open source project
Uses sql to explore data
Creates one agent for multiple OS
Process of collecting logs, parsing them, extracting structured data then putting them in a format that's easy to understand
Syslog - standard logging protocol, syslog server can be set up which receives logs from multiple sources
Event Streaming - Protocols like SNMP, Netflow adn IPFIX allow network devices to provide standard information about their operations.
Log Collectors - software agents which run on network devices which capture logs parse it and send it to a centralized aggregator.
Direct access - log aggregators that can directly access devices
Structured data - usually logs for Apache, IIS, Windows events, cisco logs and some other manufacturers. They have clearly defined fields/
Unstructured data - usually from custom built applications. Most likely the majority of data being sent to siem
