Security Essentials, Textbook page 83

Copyright Goodheart-Willcox Co., Inc. 83 Chapter 3 Security Evaluation Log Files A log file, also called event log, is a record of events that occur during a server or com- puter operation. A log is accumulated data about a system and its services, time and dates of user actions, and other activities that affect the security of an organization. An event can indicate informational announcements and help troubleshoot seri- ous or critical errors and event anomalies. Event logs are instrumental in trouble- shooting and investigating possible security incidents. They are also a key aspect of forensic investigations and used for documentation or evidence. There are multiple types of logs used for security purposes, including the following:■ ■ System logs record events generated from the operating system components. For example, if a server is restarted, the event would be recorded in the system log. ■ ■ Network logs are generated by specific network services or devices, such as NAT, routers, firewalls, VPNs. ■ ■ Application logs record events are triggered by applications, such as an update to Windows Defender. ■ ■ Security logs are used to track events related to auditing established configura- tions. For example, this log can audit failed attempts of logging in as a specific user. ■ ■ Web logs are generated by web servers and contain information regarding each website visited by a user. ■ ■ PowerShell logs allow administrators to view which PowerShell providers are accessed. PowerShell is a powerful command-line interface shell integrated in Windows.NET technologies. In some cases, the PowerShell programs used are also logged. ■ ■ DNS logs are created and stored on servers that provide DNS services. These logs record information sent and received by a DNS server. ■ ■ Authentication logs allow administrators to view successful and failed logins and authentication methods. ■ ■ Dump files are not traditional logs in that they record data about a service or application, but are usually generated when a system crashes, and the contents of memory are compiled, or dumped, into files. ■ ■ Voice over IP (VoIP) logs are used to store data related to VoIP sessions, such as logs of each call, whether it was answered or sent to voice mail, date, and duration of the call. Call manager logs provide detailed call information such as diagnostics and the amount of data sent and received. Call managers are solu- tions for managing not only IP-based phones and calls, but also other applica- tions including videos and messaging. ■ ■ Session initiation protocol (SIP) logs contain information about the SIP process, which manages voice-based data. Security professionals use logs to monitor events that could indicate a potential security breach. Event logs are coded in Windows. Figure 3-3 shows event codes that may indicate a security incident. 4.3

Previous Page Next Page

Security Essentials, Textbook Page 83 (97 of 704)

Help