4_3_4 Section 4 – Operations and Incident Response - 4.3 – Investigations- Log Files

Questions and Answers

What is the primary function of a Security Information and Event Manager (SIEM)?

To configure Syslog options on devices

To generate log entries on Linux devices

To consolidate logs from different devices (correct)

To process log information from a single device

What is the purpose of a facility code in a Syslog log entry?

To identify the program that created the log entry (correct)

To specify the severity level of the log entry

To determine the log entry's destination

To specify the type of device that generated the log entry

Which of the following is NOT a popular syslog daemon for Linux devices?

rsyslog

NXLog

syslog-ng

syslog (correct)

What is the benefit of using a SIEM to consolidate log files from different devices?

To make it easier to search and analyze log data

What is the purpose of a severity level in a Syslog log entry?

To indicate the level of importance of the log entry

What is the primary benefit of using Syslog to transfer log files?

To allow for centralized log collection and consolidation

What is the primary purpose of the journalctl utility in Linux?

To query the system journal for log information

What type of logs are specific to the operating system itself?

System logs

What is the primary reason for monitoring bandwidth usage?

To qualify available bandwidth for applications

What protocol is used for bandwidth monitoring?

All of the above

What type of information is contained in the headers of an email message?

All of the above

What is the purpose of metadata in files?

To describe other types of data

What type of information can be stored in the metadata of a picture taken on a mobile device?

All of the above

What type of information is transferred in the metadata of a web browser connection?

All of the above

What type of information can be found in the metadata of a Microsoft Office document?

All of the above

What format are Linux system logs stored in?

Binary format

What can you see in the details of an email message?

The return path and other validation details

What is the primary function of NetFlow?

To gather network statistics from switches and routers

What is the architecture of NetFlow?

Probe and collector are separated

What is the primary purpose of protocol analyzers?

To troubleshoot complex application problems

What is IPFIX?

A newer version of NetFlow

Why is sFlow used?

To reduce the resources required for network traffic analysis

What type of networks can protocol analyzers be used on?

Both wireless and wired networks, as well as wide area networks

What can you infer from sFlow devices?

Relatively accurate statistics from sampled traffic

What feature of protocol analyzers allows users to view specific information?

Packet filtering

What is the purpose of a protocol analyzer?

To get detailed information of network traffic

What information is provided by the protocol decodes on a protocol analyzer?

A plain English breakdown of network traffic

What is shown in the NetFlow collector front end?

Top 10 conversations and top 10 endpoints by bandwidth

What information can be seen in the packet by packet breakdown of a protocol analyzer?

Delta times, source IP addresses, source port numbers, and other information

What is the advantage of IPFIX over NetFlow?

It provides more flexibility in data collection

What is the benefit of using a protocol analyzer to troubleshoot network issues?

It provides a detailed breakdown of network traffic, making it easier to identify issues

Why is NetFlow a well-established standard?

It is compatible with devices from many manufacturers