Introduction
Delve into the fundamentals of log analysis to unravel the intricacies of how logs function, their data sources, and the techniques employed for data collection. Gain insights into the foundational principles that underpin log analysis and embark on a practical journey with the resources available at TryHackMe — Introduction to Logs.
Task 2 Expanding Perspectives: Logs as Evidence of Historical Activity
Step 1: Start machine
Upon accessing the machine, a “note.txt” file on the desktop revealed crucial information for Task 2. This task involved identifying the colleague who left the note and determining the full path to the suggested log file for initial investigation.
Task 3 Types, Formats, and Standards
The log file specified in Task 2 belongs to the web server category, as evidenced by its content.
Based on the list of log types in this task, what log type is used by the log file specified in the note from Task 2?
Ans: Web Server Log
Based on the list of log formats in this task, what log format is used by the log file specified in the note from Task 2?
Ans: Combined
Task 4 Collection, Management, and Centralization
- Open a Terminal.
- Ensure rsyslog is Installed: Check with
sudo systemctl status rsyslog. - Create a new configuration file:
nano /etc/rsyslog.d/98-websrv-02-sshd.conf. - Add the Configuration:
$FileCreateMode 0644
:programname, isequal, "sshd" /var/log/websrv-02/rsyslog_sshd.log- Save and Close the Configuration File.
- Restart rsyslog: Apply changes with
sudo systemctl restart rsyslog. - Verify the Configuration: Test by initiating an SSH connection to localhost via
ssh localhost.
Discover the file at /var/log/websrv-02/rsyslog_sshd.log as it contains usernames.
Uncover the file revealing the IP address of SIEM-02 by examining the rsyslog configuration file at /etc/rsyslog.d/99-websrv-02-cron.conf.
cat /etc/rsyslog.d/99-websrv-02-cron.conf
Discovered logs at /var/log/websrv-02/rsyslog_cron.log. Determine the command executed by the root user. tail -n13 rsyslog_cron.log
Task 5 Storage, Retention, and Deletion
Found the logrotate configuration file at /etc/logrotate.d/99-websrv-02_cron.conf, detailing the retention of old compressed log file copies and log rotation frequency.
cat /etc/logrotate.d/99-websrv-02_cron.conf
Task 6 Hands-on Exercise: Log analysis process, tools, and techniques
Access the log viewer URL: http://MACHINE_IP:8111/log?log=%2Fvar%2Flog%2Fgitlab%2Fnginx%2Faccess.log&log=%2Fvar%2Flog%2Fwebsrv-02%2Frsyslog_cron.log&log=%2Fvar%2Flog%2Fwebsrv-02%2Frsyslog_sshd.log&log=%2Fvar%2Flog%2Fgitlab%2Fgitlab-rails%2Fapi_json.log
After this, click on the add filter icon.
Answer: No date field
Normalization standardizes parsed data, making it easier to compare and analyze data from different sources.
Answer: Normalization
Log enrichment adds context to logs, making them more meaningful for analysis.
Answer: Enrichment
Tools:
In closing, every log contributes to the puzzle of securing our digital world.
Stay curious, stay vigilant, and keep exploring the dynamic realm of cybersecurity.