Linux Log Monitoring and Analysis PDF
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Summary
This document discusses log monitoring and analysis in Linux-based systems. It covers Linux logs, log files, and commands for monitoring. The document is a part of cybersecurity training module.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis Module Flow Log Monit...
Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis Module Flow Log Monitoring Discuss Log Monitorin Understand Logging and Analysis nnalysgs on Windows Windogs Concepts @a Systems Discuss Various Log @ ‘ Discuss Log Monitoring Management Tools and Analysis on Linux Discuss Log Monitoring and Analysis on Linux The objective of this section is to explain monitoring and analysis of logs in Linux-based systems. It describes Linux logs, the various Linux log files, and commands to monitor and analyze Linux logs. Module 18 Page 2092 Certified Cybersecurity Technician Copyright © by EG-Gouncil EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis E] Linux logs are a record of any activity or event in Linux OS H © @ Most Linux logs are located at /var/log directory in plain ASCII text format f__\ " O System log daemon (syslogd) produces logs for the system and different programs in Linux OS A1 1 —_—— alice@alice-Virtual-Machl... alice@alice-Virtual-Machi... All Rights Reserved. Reproductic Linux Logs Linux logs are a record of any activity or event in a Linux-based OS (hereinafter “Linux 0S”); they include messages on just about everything, including system, kernel, package managers, boot processes, Xorg, Apache, and MySQL. These log files are a useful troubleshooting tool when any security issue occurs. These files help in monitoring and analyzing security threats and vulnerabilities as well as remediate them as soon as possible. They also help in tracking the communication between one system with another system and networks. Linux OS captures a wide range of information using multiple log files. Most logs are located in the /var/log directory and subdirectory in plain ASCIl text format. These are system and service log files that provide information about OS-specific issues or service-specific issues. Many of them are produced by the system log daemon (syslogd) on behalf of the system and application whereas some applications produce logs directly into /var/log directory. To change the directory, the ecd command is used. However, only the root user can view or access Linux log files. Module 18 Page 2093 Certified Cybersecurity Technician Copyright © by EG-Gouncil EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis [+1 alice@alice-Virtual-Machi... Q ER B= S cd [fvar/flog/ [ B 11ls alternatives.log dmesg alternatives.log.1 dmesg.0 kern.log apport.log kern.log.1 kern.lo g.1 apport.log.1 ubuntu-advantage.log lastlog wtmp auth.log dpkg.log Xorg..log auth.log.1 dpkg.log.1 Xorg..log.old faillog Xorg..log bootstrap.log fontconfig.log Xorg..log.old btmp Xorg.. log T btmp.1 gpu-manager.log Figure 18.11: Linux log Module 18 Page 2094 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis Different Linux Log Files /var/log/messages /var/log/httpd/ > » General message and system-related information > » Apache access and error logs directory /var/log/auth.log )) » /var/log/lighttpd/ > » Authentication logs » Lighttpd access and error logs directory /var/log/kern.log » )) /var/log/boot.log > » Kernel logs » System boot log /var/log/cron.log » /var/log/mysqld.log > » Crond logs (cron job) » MysQL MySQL database server log file /var/log/maillog » /var/log/secure or /var/log/auth.log > » Mail server logs > » Authentication log /var/log/qmail/ » /var/log/utmp or /var/log/wtmp > » Qmail log directory (more files inside this directory) » Login records file >> /var/log/yum.log » Yum command log file Copyright © by EC-Councll. All Rights Reserved. Reproductionis Strictly Prohibited Prohibited. Different Linux Log Files Linux OS generates four different categories of log files: application logs, event logs, service logs, and system logs. These log files should be monitored to predict upcoming issues before they actually occur. However, it can get cumbersome to monitor and analyze all log files or to determine which file contains the required information. Therefore, to make it the process a little simpler, a few critical Linux log files are introduced here that should be monitored effectively to gather all essential information. /var/log/messages Or /var/log/syslog: This log file contains general messages and system-related information. It stores all informational and noncritical messages across the global system such as system error messages, system startups, and shutdowns, change in the network configuration, etc. It can also log several things such as mail, cron, daemon, kern, auth, etc. This is the first place to look if things go wrong in the network/0S. For example, if there is any issue with the sound card, then you have to check the messages logged in this file. This file stores data in plain-text format that can be checked by any tool that can examine text files. /var/log/auth.log or /var/log/secure: This log file contains authentication logs, including both successful and unsuccessful user login attempts as well as authentication techniques. This file is beneficial if you want to examine brute-force attacks and other vulnerabilities related to user authorization mechanism. /var/log/kern.log: This file stores information that is logged by the kernel. It is helpful in solving kernel-related errors and warnings as well as hardware and connectivity problems. It is also useful in troubleshooting a custom-built kernel. /var/log/cron.log: This file contains information about all Crond-related messages (cron jobs). For example, when the cron daemon begins the cron job, all related Module 18 Page 2095 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis information about successful or failed execution is logged on to this file. This file is helpful for solving issues with scheduled cron. * /var/log/maillog oOr /var/log/mail.log: This file stores information related to mail servers. This file is useful when checking information regarding postfix, smtpd, MailScanner, and other email-related services. It keeps records of all emails that are sent or received within a time zone. In addition, it helps to examine failed delivery problems and detecting spamming attempts blocked by the mail server. * /var/log/gmail/: Itis a directory that stores information related to gmail logs. This directory is helpful when trying to track all emails sent through a gmail system, if the list of every message transmitted by the server is needed, or the number of messages processed needs to be determined. = /var/log/httpd/: Itis a directory that stores information related to the Apache web server. Apache web server stores information in two log files: access_log and error_log. This directory provides detailed information about events and errors raised during processing httpd requests. It keeps records of every page or file that is provided or loaded by Apache and also stores the IP address and user ID of every client that made a connection to the server. It also logs the status of access requests and whether a response was given or not. * /var/log/lighttpd/: Itis a directory that stores information related to light HTTPD access_log and error_log. * /var/log/boot.log: This file stores all information related to system booting. The booting messages are sent by system initialization script, /etc/init.d/bootmisc.sh, to this log file. This file is helpful when trying to troubleshoot problems related to improper shutdowns, booting failures, or unplanned reboots. By checking this file, the time span of system downtime that occurred due to an unexpected shutdown can be determined. * /var/log/mysqld.log: This file stores all debug, failure, and success messages about [mysqgld] and [mysqld_safe] daemon. It is helpful when trying to detect issues related to starting, running, and stopping of mysqld. * /var/log/utmp or /var/log/wtmp: This file stores information related to user login/logout, and it is helpful when trying to determine the current login state. * /var/log/yum.log: All information related to installation of a package using yum command is stored in this file, which proves useful when trying to check whether a package is installed correctly or not; it also helps in identifying and solving software installation issues. Module 18 Page 2096 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.
