CRITICAL LOG REVIEW Outbound proxy logs and end-user Password changes To self: 628; to

application logs others: 627

CHECKLIST FOR Service started or 7035, 7036, etc.
Remember to consider other, non-log
SECURITY INCIDENTS sources for security events. stopped
This cheat sheet presents a checklist for Object access 560, 567, etc
reviewing critical logs when responding to
Typical Log Locations denied (if auditing
a security incident. It can also be used for Linux OS and core applications: /var/logs enabled)
routine log review. Windows OS and core applications:
What to Look for on Network
Windows Event Log (Security, System,
General Approach Application)
Devices
1. Identify which log sources and Network devices: usually logged via Look at both inbound and outbound
automated tools you can use during Syslog; some use proprietary locations and activities.
the analysis. formats Examples below show log excerpts from
2. Copy log records to a single location Cisco ASA logs; other devices have similar
What to Look for on Linux
where you will be able to review them. functionality.
Successful user “Accepted password”,
login “Accepted publickey”, Traffic allowed “Built … connection”,
3. Minimize “noise” by removing routine,
"session opened” on firewall “access-list …
repetitive log entries from view after
Failed user login “authentication permitted”
confirming that they are benign.
failure”, “failed Traffic blocked “access-list … denied”,
4. Determine whether you can rely on on firewall “deny inbound”; “Deny
password”
logs’ time stamps; consider time zone … by”
User log-off “session closed”
differences. Bytes “Teardown TCP
User account “password changed”,
5. Focus on recent changes, failures, change or “new user”, transferred connection … duration
errors, status changes, access and deletion “delete user” (large files?) … bytes …”
administration events, and other Sudo actions “sudo: … Bandwidth and “limit … exceeded”,
events unusual for your environment. COMMAND=…” protocol usage “CPU utilization”
“FAILED su” Detected attack “attack from”
6. Go backwards in time from now to
Service failure “failed” or “failure” activity
reconstruct actions after and before
User account “user added”, “user
the incident. What to Look for on Windows changes deleted”,
7. Correlate activities across different logs Event IDs are listed below for Windows “User priv level
to get a comprehensive picture. 2000/XP. For Vista/7 security event ID, add changed”
8. Develop theories about what occurred; 4096 to the event ID. Administrator “AAA user …”,
explore logs to confirm or disprove Most of the events below are in the access “User … locked out”,
them. Security log; many are only logged on the “login failed”
domain controller. What to Look for on Web
Potential Security Log Sources
User logon/logoff Successful logon 528, Servers
Server and workstation operating system
events 540; failed logon 529- Excessive access attempts to non-existent
logs
537, 539; logoff 538, files
Application logs (e.g., web server, 551, etc
database server) Code (SQL, HTML) seen as part of the URL
Authored by Anton Chuvakin (chuvakin.org) and Lenny User account
Zeltser Created 624;
(zeltser.com). Reviewed enabled
by Anand Sastry. Distributed according to the Creative Commons v3
Security tool License
“Attribution” logs (e.g.,
. anti-virus, change changes 626; changed 642; Access to extensions you have not
Cheat sheet
detection, version 1.0.
intrusion detection/prevention disabled 629; deleted implemented
system) 630
Web service stopped/started/failed
messages
Access to “risky” pages that accept user
input
Look at logs on all servers in the load
balancer pool
Error code 200 on files that are not yours
Failed user Error code 401,
authentication 403
Invalid request Error code 400
Internal server error Error code 500
Other Resources
Windows event ID lookup:
www.eventid.net
A listing of many Windows Security Log
events:
ultimatewindowssecurity.com/.../Default.as
px
Log analysis references:
www.loganalysis.org
A list of open-source log analysis tools:
securitywarriorconsulting.com/logtools
Anton Chuvakin’s log management blog:
securitywarriorconsulting.com/logmanage
mentblog
Other security incident response-related
cheat sheets: zeltser.com/cheat-sheets