The Anatomy of Logs

Deciphering Logs: The Keystone Skill for Security Analysts

In a conversation I had with a fellow network security expert in the spring of 2023, an observation struck me profoundly. He emphasized that among new job applicants and even experienced Gen X professionals, a deficiency in troubleshooting skills prevails. As an engineer, was trying to locate adept network troubleshooters. This struck a chord with me, as my own challenge lies in identifying capable analysts. Beneath both these proficiencies lies a fundamental skill: the ability to adeptly dissect and interpret diverse log sources.

In today’s landscape dominated by search engines, online forums, and the rise of AI chatbots, the practice of using logs for analysis and troubleshooting is waning. Yet, in the realm of Security Analysis, whether it’s incident response, forensics, or penetration testing, the skill to decode logs stands as the hallmark that distinguishes a competent analyst from an exceptional one.

With a background in forensics, I frequently confronted novel and complicated systems with no prior exposure. Sometimes, engaging with the product’s manufacturers or consulting product documentation illuminated how the system operated. However, often I was compelled to reverse engineer data collection, processing, and storage methods using logs. Over time, I discovered recurring patterns across logs, honing my proficiency in deciphering log sources. In reality, interpreting log sources has become more straightforward than ever before.

For aspiring Security Analysts, your endeavors will revolve around delving into events based on logs. You will often navigate Security Event Information Management tools, or SIEMs, which assimilate numerous log sources into an accessible format for investigation. SIEM technology has evolved to become smarter and faster, and this trajectory will persist. However, a SIEM presents only data it has been configured to display, a process known as parsing. Inadequate parsing could lead to data omissions. In intricate security incidents such as lateral movement or data exfiltration, multiple log sources from various systems often need to be harmonized to unveil the bigger picture. Instances arise where log sources are inadequately parsed, crucial fields are absent in your SIEM query, or logs are yet to be ingested, necessitating manual review.

Thus, I advocate that all security analysts familiarize themselves with comprehending RAW logs from diverse systems. This page is born from this conviction. It assembles various log sources from different systems, and I will endeavor to offer clear explanations wherever feasible.

Anticipating Log Content: A Prerequisite for Effective Analysis

In the realm of log analysis, an anticipatory approach can make all the difference. When handling logs from systems or products, anticipating what the logs should contain can significantly enhance your analysis. Certain common fields and traits should be present in all log sources, offering a foundation for your investigation.

Crucial Timestamps: Almost universally, logs incorporate timestamps. These timestamps, appended to each log entry, serve as temporal markers. However, the frequency of timestamps can vary, with some appearing per entry and others at regular intervals, such as hourly or daily. Familiarizing yourself with timestamp placement is vital. Equally important is understanding the time zone and Network Time Protocol (NTP) calibration of the logs. This knowledge proves indispensable when correlating events across multiple logs for comprehensive investigations.

Event Types and Timing: It is essential to gain insight into the types of events recorded and their timing, including any established thresholds. Knowing when events are logged and understanding the nature of these events can greatly aid your analysis. Event descriptions play a pivotal role as well. Locating event descriptions within logs is a valuable skill, as these descriptions might occupy a single line or span multiple lines, even potentially extending across multiple log files.

Navigating Log Dynamics: Comprehending log rotation and retention policies is the final, crucial aspect. Understanding the frequency of log rotation, whether older logs are retained or overwritten, and the extent of historical log storage is pivotal. This knowledge gains significance when investigating past events. Countless investigations have encountered limitations due to the finite span of available logs. In numerous cases, I have found myself concluding an investigation or threat hunt as inconclusive because the logs only went so far back.

By adopting an anticipatory mindset and familiarizing yourself with these log dynamics, you lay the groundwork for a thorough and insightful analysis, enabling you to uncover hidden patterns and critical insights.

Anticipating Log Fields for Specific Systems

In the realm of log analysis, moving beyond the fundamentals involves a more intricate skill: anticipating log fields tailored to the distinct purpose of each system. This proactive stance isn’t merely about data collection – it’s a strategy that uncovers concealed insights. Picture network appliances, often unsung heroes in network management. As you dive into their logs, anticipate fields such as source and destination markers, traffic actions, sizes, protocols, and types. Embracing these unique attributes equips you to navigate intricate network scenarios with precision, ensuring that even the most crucial details are brought to light.

Log Fields for Network Systems

Let’s delve deeper into the specifics. These are some anticipated log fields when it comes to network systems:
 Source and Destination: These identifiers could range from IP addresses, both IPv4 and IPv6, to MAC addresses or even user and organizational units.
 Traffic Action: Whether the traffic was halted, forwarded, or diverted.
 Traffic Size: Insights into the size of transmitted data.
 Protocol: This field points to the protocol the traffic adheres to, such as HTTP(S), FTP(S), or ICMP(S).
 Traffic Type: Going beyond protocols, this could indicate if the traffic was a request, post, or delete.
 Additional Identifiers: Think geolocation, useragent strings, and other markers that add depth to the analysis.
Network appliances hold a pivotal role in processing network traffic, magnifying the importance of these log fields.

Log Fields for Authentication Systems

Now, shift your focus to authentication systems, the guardians of digital access. Here, specific log fields take the lead:
 User Identity: Think usernames, email addresses, or other identification markers for logins and access attempts.
 Authentication Result: The distinction between successful and failed login endeavors.
 Authentication Method: Highlighting the technique – whether it’s passwordbased, multifactor authentication, or another.
 Timestamp: The exact time and date of the authentication attempt.
 Location: IP address or geolocation of the login origin.
 Session Duration: The span of time within an authenticated session.
Whether it’s Single SignOn or traditional authentication methods, understanding these log fields becomes pivotal for securing digital spaces.

Database and Data Storage Systems Log Fields

Turning to databases and data storage systems, where information integrity reigns supreme, specific log fields come into play:
 Query Statements: These entries might include SQL or NoSQL queries executed within the database.
 User Access: Identifying the users who accessed the database and the permissions granted.
 Timestamps: Capturing the timing of data interactions for precise analysis.
 Changes and Modifications: Log entries detailing data inserts, updates, and deletions.
 Error Messages: Indicating anomalies or errors within the database.
 Data Volume: Offering insights into the amount of data processed or retrieved.
These log fields are the pillars supporting data’s integrity, performance, and security within the digital realm.

In the intricate dance between data and systems, log fields emerge as orchestrators of understanding. Mastery in anticipating, deciphering, and interconnecting these specialized fields empowers you to navigate the intricacies of modern IT. As logs weave together the narrative of digital interactions, your expertise in grasping these fields ensures that no detail goes unnoticed. From untangling network intricacies to securing digital gates and safeguarding data, the voyage into log fields illuminates the path to holistic and effective analysis.

Click Here to see detailed sample of log fields you can expect to see from some system types.

Here is a collection of Log Samples

Scroll to Top