What can you create in event viewer to display specific types of events from one or more event logs?
An event log is a file that contains information about usage and operations of operating systems, applications or devices. Security professionals or automated security systems like SIEMs can access this data to manage security, performance, and troubleshoot IT issues.In the modern enterprise, with a large and growing number of endpoint devices, applications and services, it is no longer possible to manage security and IT operations with network monitoring alone. Event logs, and in particular endpoint logs, are of critical importance. Show
Related content: This is part of an extensive series of guides about Network Security. Introduction to Event Logs and Security LogsEvents that occur in end-user devices or IT systems are commonly recorded in log files. Operating systems record events using log files. Each operating system uses its own log files, and applications and hardware devices also generate logs. Security teams can use security logs to track users on the corporate network, identify suspicious activity and detect vulnerabilities. Most security and IT organizations find that systems generate more log information than they can process. Event and log management tools help analyze logs, monitor important events recorded in logs, and leverage them to identify and investigate security incidents. Key Concepts of Log ManagementLog Raw data stored by a computer system. Events Something that occurs somewhere on a network or computer system. Incidents Events that are identified as possible security breaches. Using Endpoint Logs for SecurityWith the growing use of endpoint devices, many of which are laptops, phones or other mobile devices, endpoint logs are becoming more important for security. Attackers who gain access to an endpoint device can use it to penetrate your network. Therefore, it’s essential to collect data from endpoint logs and identify malicious or unauthorized activity. Using Windows Event Logs for SecurityThe Windows operating system logs activity on software or hardware components. Administrators can access this information to detect and troubleshoot issues. Six default categories are used to classify events:
The Windows system called Event Viewer can be used to view event logs across all the above categories. Event Viewer displays information about an event, including the date and time, username, computer, source, and type. Security Log Event TypesWhile all types of events could be relevant in the investigation of a security incident, security logs are of special significance. Windows generates a security log entry upon login attempts, and logs additional information if the login attempt succeeds. The types of events logged are:
Common Windows Log Events Used in Security InvestigationsHere are a few common event codes on Windows 7/Vista/8/10 and Windows Server 2008/2012R2/2016/2019 (previous versions of Windows have different codes), commonly used in security investigations:
Using Linux Event Logs for SecurityThe Linux operating system stores a timeline of events related to the server, kernel, and running applications. The main log categories are:
There are several ways to view logs in Linux:
Following are commonly used Linux log files:
What Data Should You Focus on in Security Investigation of Linux Event Logs?Perform a risk assessment for Linux systems in your organization, and determine what level of logging they need, how logs should be reviewed and which log events should generate security alerts. In most cases you will need to log the following information about a Linux system for security purposes:
Using iOS Logging for SecurityiOS does not log events, however it does log application crash reports. iOS 10.0 and later offers an API that can be used to log application events. You can use crash reports and the logging API to find and investigate errors generated by your applications, either during development or in production. iOS devices come with their own security features, implemented in both hardware and software. The logging API provides access to data generated by these security features. They include:
Using Android Logging for SecurityAndroid offers a platform that provides access to all system and applications logging, including logs from the kernel driver, C, C++, and Java classes. The logging platform provides applications for viewing and filtering log messages. Android Log Types
Logging Sensitive Data
Additional Logs You Should Consider MonitoringBeyond the common log sources mentioned above, there are many more enterprise systems and security tools that generate logs. All of them might have security implications. However, it’s crucial to prioritize logs for monitoring by analysts, since many organizations have limited security manpower. Following is a list of most of the common log and information sources you may encounter in your organization. Select the most important sources your security team will regularly monitor.
Logs from Security Controls
Network Logs
Infrastructure Information
Business Informations
Security Information and Event Management (SIEM) LoggingSIEM logging is the process of aggregating and monitoring logs for security purposes. SIEM systems are used by security teams to collect event data from IT systems and security tools across an organization, and use it to identify suspicious behavior that might signify a security incident. Common Security-related Log Events Tracked by a SIEM Include:
Detecting Security Incidents Using Correlation RulesTraditionally, SIEMs generated alerts from logs by using correlation rules. A correlation rule specifies a series of events and specific logs values or ranges of values that may indicate a security threat (for example, three or more failed login attempts). Another way to extract security risks from logs is a vulnerability analysis where automated scanners can scan networks for software vulnerabilities that can be targeted by attackers, and some of these scans rely on logs. Detecting Security Incidents Using Behavioral AnalyticsNext-generation SIEM technology uses user and event behavior analytics (UEBA) to establish a behavioral baseline for users and other entities on the network, such as servers, endpoints or applications. The behavioral analytics engine can monitor behavior and identify if it deviates from the baseline, or in other words, if something “looks different”, even if it couldn’t be defined by a strict correlation rule. If deviations are sufficiently large and seem to indicate a security risk, the UEBA system raises an alert. This can help detect insider threats, fraud, and advanced persistent threats (APT), and other sophisticated attack techniques which can easily evade correlation rule-based detection. For an example of a next-gen SIEM with UEBA built in, see Exabeam Advanced Analytics. What event types are displayed in Event Viewer?Event Log Categories. Which Event Viewer feature should you use to view events in multiple logs?Event Viewer enables you to filter for specific events across multiple logs, making it easy to display all events that are potentially related to an issue that you are investigating. To specify a filter that spans multiple logs, you need to create a custom view.
How do I view event logs in Event Viewer?Open Event Viewer. In the console tree, expand Windows Logs, and then click Security. The results pane lists individual security events. If you want to see more details about a specific event, in the results pane, click the event.
Which tool in Windows Server and clients enables you to view events from multiple logs?Windows Event Viewer displays the Windows event logs. Use this application to view and navigate the logs, search and filter particular types of logs, export logs for analysis, and more.
|