week 10

Posted on by

This week’s topic is about event log correlation and analysis. There are a lot of types of logs that exist in a computer, for example, event logs and security logs. These logs can be obtained from a lot of sources; server, mainframe, or workstation. 

Logs from OS usually store records on system level, like, login/logout, or system crashes. Logs from Windows usually count in thousands or even millions since there are more activities going on, in a case where the system is attacked, finding the data will be similar to finding a needle in a haystack. To view the event logs in windows 10, simply search for ‘Event Viewer’, there are also other type of logs available:

  • IE browsing history
  • Set up
  • Firewall
  • Recycle bin
  • Shortcut files

Regarding the collection of data of the logs, there is a need for consideration from the party involved. They are not to disclose anything about the investigation, thus, all employees from the involved party must not know and maybe be given a break for the IT staff to be able to do their work properly. It is usually through a passive acquisition and an active search through the log.

There are several analysis tools that can be used to analyze the logs:
Commercial:

  • Splunk
  • Retrace
  • Logentries
  • Logmatic

Open source:

  • Graylog
  • Logstash

By connecting all servers available in a company to graylog, graylog will be able to analyze all the logs. In the case that there is an attack on one of the systems, it can be investigated by using the data analyzed in the graylog. Graylog provides the time/date, source, and event of each log. It can be used to analyze whether someone tried to brute force a password in the system. By using graylog, data can be searched by protocol or services, which will aid in investigation.

Leave a Reply

Your email address will not be published. Required fields are marked *