4_3_4 Section 4 – Operations and Incident Response - 4.3 – Investigations- Log Files

Questions and Answers

What is the primary function of a Security Information and Event Manager (SIEM)?

• To configure Syslog options on devices
• To generate log entries on Linux devices
• To consolidate logs from different devices (correct)
• To process log information from a single device

What is the purpose of a facility code in a Syslog log entry?

• To identify the program that created the log entry (correct)
• To specify the severity level of the log entry
• To determine the log entry's destination
• To specify the type of device that generated the log entry

Which of the following is NOT a popular syslog daemon for Linux devices?

• rsyslog
• NXLog
• syslog-ng
• syslog (correct)

What is the benefit of using a SIEM to consolidate log files from different devices?

To make it easier to search and analyze log data (A)

What is the purpose of a severity level in a Syslog log entry?

To indicate the level of importance of the log entry (A)

What is the primary benefit of using Syslog to transfer log files?

To allow for centralized log collection and consolidation (B)

What is the primary purpose of the journalctl utility in Linux?

To query the system journal for log information (D)

What type of logs are specific to the operating system itself?

System logs (A)

What is the primary reason for monitoring bandwidth usage?

To qualify available bandwidth for applications (C)

What protocol is used for bandwidth monitoring?

All of the above (D)

What type of information is contained in the headers of an email message?

All of the above (D)

What is the purpose of metadata in files?

To describe other types of data (C)

What type of information can be stored in the metadata of a picture taken on a mobile device?

All of the above (D)

What type of information is transferred in the metadata of a web browser connection?

All of the above (D)

What type of information can be found in the metadata of a Microsoft Office document?

All of the above (D)

What format are Linux system logs stored in?

Binary format (D)

What can you see in the details of an email message?

The return path and other validation details (A)

What is the primary function of NetFlow?

To gather network statistics from switches and routers (A)

What is the architecture of NetFlow?

Probe and collector are separated (D)

What is the primary purpose of protocol analyzers?

To troubleshoot complex application problems (B)

What is IPFIX?

A newer version of NetFlow (D)

Why is sFlow used?

To reduce the resources required for network traffic analysis (D)

What type of networks can protocol analyzers be used on?

Both wireless and wired networks, as well as wide area networks (C)

What can you infer from sFlow devices?

Relatively accurate statistics from sampled traffic (D)

What feature of protocol analyzers allows users to view specific information?

Packet filtering (B)

What is the purpose of a protocol analyzer?

To get detailed information of network traffic (B)

What information is provided by the protocol decodes on a protocol analyzer?

A plain English breakdown of network traffic (C)

What is shown in the NetFlow collector front end?

Top 10 conversations and top 10 endpoints by bandwidth (C)

What information can be seen in the packet by packet breakdown of a protocol analyzer?

Delta times, source IP addresses, source port numbers, and other information (A)

What is the advantage of IPFIX over NetFlow?

It provides more flexibility in data collection (B)

What is the benefit of using a protocol analyzer to troubleshoot network issues?

It provides a detailed breakdown of network traffic, making it easier to identify issues (A)

Why is NetFlow a well-established standard?

It is compatible with devices from many manufacturers (A)

Flashcards are hidden until you start studying