Security Event Log Checklist

Original author: Anton Chuvakin, Lenny Zeltser
  • Transfer


Today, the topic of monitoring IT infrastructure and log analysis is gaining more and more popularity. First of all, everyone thinks about monitoring security events, which will be discussed in this article. Despite the fact that quite a lot has already been said and written on this topic, there are even more questions. And so we decided to translate the article “ Сritical Log Review Checklist for Security Incidents ”, written by Anton Chuvakin and Lenny Zeltser , which will be useful both for those who are just starting to work with monitoring security events, and for those who have to deal with it. quite a long time ago, to check yourself again, do you miss some opportunities.



This checklist presents the actions that are necessary if you want to monitor the security logs and respond quickly to security incidents, as well as a list of possible sources and events that may be of interest for analysis.

General scheme of action


  1. Determine which log sources and automated tools can be used for analysis.
  2. Copy journal entries to one place where you can view and process them all.
  3. Create rules for determining what events are necessary for you to automatically reduce the "noise" logs
  4. Determine whether you can rely on log time stamps ; consider the differences in time zones
  5. Check out recent changes, crashes, errors, state changes, access, and other events that are unusual for your IT environment.
  6. Examine history of events to restore action before and after the incident.
  7. Match the actions in different magazines to get the full picture.
  8. Form a hypothesis of what happened; examine the logs to confirm or deny it



Potential sources of security logs


  • Server and Workstation Logs
  • Application logs (for example, web server, database server)
  • Security tool logs (for example, antivirus, change detection tools, intrusion detection / prevention systems)
  • Outbound proxy and end-user application logs
  • Be sure to also consider other sources of security events that are not included in the logs.

Standard logging location


  • Linux operating system and main applications: / var / log
  • Windows operating system and main applications: Windows Event Log (Security, System, Application)
  • Network devices: usually logged via syslog ; some use their own layout and formats

What to look for in Linux logs


EventSample log entry
Successful login"Accepted password", "Accepted publickey", "session opened"
Failed login attempts"Authentication failure", "failed password"
Session Completion"Session closed"
Account change"Password changed", "new user", "delete user"
Sudo actions"Sudo: ... COMMAND = ...", "FAILED su"
Malfunctions“Failed” or “failure”

What to look for in the Windows logs


Event identifiers are listed below for Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10. (The original article mainly uses identifiers for Windows 2003 and earlier, which can be obtained by subtracting 4096 from the values ​​specified below EventID).

Most of the events below are in the security log (Windows Event Log: Security), but some are recorded only on a domain controller.
Event typeEventid
Entry and exit eventsSuccessful logon 4624; failed logon 4625; logoff 4634, 4647, etc.
Account changeCreated 4720; enabled 4726;
changed 4738; 4725 disabled; deleted 630
change Password4724, 4723
Starting and stopping services7035,7036, etc.
Access to objects4656, 4663

What to look for in logs of network devices


Study the inbound and outbound actions of your network devices.

The examples below are excerpts from the Cisco ASA logs, but other devices have similar functionality.

Firewall traffic"Built ... connection" "access-list ... required"
Firewall blocked traffic"Access-list ... denied", "deny inbound"; "Deny ... by"
Traffic amount (bytes)"Teardown TCP connection ... duration ... bytes ..."
Use of channels and protocols"Limit ... exceeded", "CPU utilization"
Attack detection"Attack from"
Account change"User added", "user deleted", "User priv level changed"
Admin Access"AAA user ...", "User ... locked out", "login failed"

What to look for in the web server logs


  • Excessive attempts to access non-existent files
  • Code (SQL, HTML) as part of the URL
  • Access to extensions that you did not install
  • Stop / Start / Fail Web Service Messages
  • Access to “risky” pages that accept user input
  • Error code 200 ( successful query ) on files that do not belong to you
  • Authentication Error : Error Code 401,403
  • Invalid request : Error code 400
  • Internal server error : Error code 500

useful links


Examples of each Windows event EventID:
EventID.Net
Directory Windows security event log:
Windows Security Encyclopedia the Log
List of log analysis tools:
the Best Management the Log the Tools
Others "cribs" in responding to security incidents in the blog of one of the authors of the original article:
of IT and Information Security Cheat Sheets

If you are interested in this topic, then write comments, we will be happy to answer you. Subscribe to our VK group and Telegram channel if you want to keep abreast of new articles.

Also popular now: