How to Search Log Files: Difference between revisions

From Irregularpedia
Jump to navigation Jump to search
cats
Tag: 2017 source edit
No edit summary
Tag: 2017 source edit
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
''see [[incident-response-guide.md|incident-response-guide]]'' to return to full steps
== How to Check and Make Sense of Logs on Different Operating Systems ==


<pre class="toc"></pre>
If you need to go back to the guide, click [[Cyber Incident Response Guide (Personal)#Log File Analysis | Cyber Incident Response Guide]]
<span id="how-to-check-and-make-sense-of-logs-on-different-operating-systems"></span>
== How to Check and Make Sense of Logs on Different Operating Systems ==


<span id="mobile-ios"></span>
=== Mobile: iOS ===
=== Mobile: iOS ===


= '''Use Analytics &amp; Improvements''': =
==== Use Analytics & Improvements ====
#'' Go to '''Settings''' &gt; '''Privacy''' &gt; '''Analytics &amp; Improvements'''.
# Go to '''Settings''' > '''Privacy''' > '''Analytics & Improvements'''.
#'' Select '''Analytics Data''' to view system and app logs.
# Select '''Analytics Data''' to view system and app logs.
= '''Identify Suspicious Activity''': =
 
#'' Look for entries such as <code>sysdiagnose</code>, <code>stacks+appName</code>, indicating app crashes or system issues.
==== Identify Suspicious Activity ====
#'' Search for terms like <code>privacy</code>, <code>location</code>, <code>permission</code> to find logs related to privacy settings changes.
# Look for entries such as <code>sysdiagnose</code> or <code>stacks+appName</code>, indicating app crashes or system issues.
#'' Check for any entries with <code>daemon</code> or <code>process</code> that indicate background activities.
# Search for terms like <code>privacy</code>, <code>location</code>, or <code>permission</code> to find logs related to privacy settings changes.
# Check for any entries with <code>daemon</code> or <code>process</code> indicating background activities.
 


<span id="mobile-android"></span>
=== Mobile: Android ===
=== Mobile: Android ===


= '''Enable Developer Options''': =
==== Enable Developer Options ====
#'' Go to '''Settings''' &gt; '''About phone'''.
# Go to '''Settings''' > '''About phone'''.
#'' Tap '''Build number''' seven times to enable Developer Options.
# Tap '''Build number''' seven times to enable Developer Options.
= '''Access Logs through Developer Options''': =
 
#'' Go to '''Settings''' &gt; '''System''' &gt; '''Developer options'''.
==== Access Logs through Developer Options ====
#'' Scroll to '''Debugging''' and select '''Take bug report''' or '''Log viewer'''.
# Go to '''Settings''' > '''System''' > '''Developer options'''.
= '''Check for Suspicious Activity''': =
# Scroll to '''Debugging''' and select '''Take bug report''' or '''Log viewer'''.
#'' Look for frequent app crashes or unexpected system behavior in the logs.
 
#'' Identify any unusual network activities or connection attempts.
==== Check for Suspicious Activity ====
#'' Check for logs indicating changes in security settings or permissions granted to unfamiliar apps.
# Look for frequent app crashes or unexpected system behavior in the logs.
#'' Look for repeated attempts to access secure features or data without authorization. ### Windows
# Identify any unusual network activities or connection attempts.
= Open the '''Event Viewer''': =
# Check for logs indicating changes in security settings or permissions granted to unfamiliar apps.
#'' Press the Windows key + R to open the Run dialog box.
# Look for repeated attempts to access secure features or data without authorization.
#'' Type <code>eventvwr.msc</code> and press Enter.
 
#'' The Event Viewer will open.
 
= Look for Error or Warning logs related to security: =
=== Windows ===
#'' Navigate to Windows Logs &gt; Security.
 
#'' Sort the logs by Event ID, Level, or Source.
==== Open the Event Viewer ====
#'' Look for Event IDs <code>4624</code> (successful logon), <code>4625</code> (failed logon), and <code>4648</code> (explicit login).
# Press the Windows key + R to open the Run dialog box.
#'' Look for Warnings or Error logs related to security software such as antivirus or firewall.
# Type <code>eventvwr.msc</code> and press Enter.
= Search for suspicious activity: =
# The Event Viewer will open.
#'' Look for repeated failed login attempts from the same source IP.
 
#'' Look for logon attempts from unfamiliar locations or at unusual times.
==== Look for Error or Warning Logs Related to Security ====
#'' Look for logs indicating changes to security settings or software.
# Navigate to '''Windows Logs''' > '''Security'''.
#'' Look for logs indicating new software installations or changes to existing software.
# Sort the logs by Event ID, Level, or Source.
# Look for Event IDs:
** <code>4624</code> (successful logon),
** <code>4625</code> (failed logon),
** <code>4648</code> (explicit login).
 
==== Search for Suspicious Activity ====
# Look for repeated failed login attempts from the same source IP.
# Look for logon attempts from unfamiliar locations or at unusual times.
# Look for logs indicating changes to security settings or software.
# Look for logs indicating new software installations or changes to existing software.
 


<span id="macos"></span>
=== MacOS ===
=== MacOS ===


= Open Console: =
==== Open Console ====
#'' Launch the '''Console''' application from the '''Utilities''' folder within the '''Applications''' folder.
# Launch the '''Console''' application from the '''Utilities''' folder within the '''Applications''' folder.
#'''' The Console will open.
 
= Look for Error or Warning logs related to security: =
==== Look for Error or Warning Logs Related to Security ====
#'' Look for logs related to security software such as antivirus or firewall.
# Check logs related to security software such as antivirus or firewall.
#'' Look for logs with the keywords <code>error</code> or <code>warning</code>.
# Search for logs with keywords like <code>error</code> or <code>warning</code>.
= Search for suspicious activity: =
 
#'' Look for repeated failed logon attempts from the same source IP.
==== Search for Suspicious Activity ====
#'' Look for logon attempts from unfamiliar locations or at unusual times.
# Look for repeated failed logon attempts from the same source IP.
#'' Look for logs indicating changes to security settings or software.
# Look for logon attempts from unfamiliar locations or at unusual times.
#'' Look for logs indicating new software installations or changes to existing software.
# Check logs indicating changes to security settings or software.
# Look for logs indicating new software installations or changes to existing software.
 


<span id="linux"></span>
=== Linux ===
=== Linux ===


= Open '''Terminal''': =
==== Open Terminal ====
#'' Launch the '''Terminal''' application.
# Launch the '''Terminal''' application.
= Look for Error or Warning logs related to security: =
 
#'' Use the command <code>sudo grep -E 'error|warning' /var/log/auth.log</code> to view security logs.
==== Look for Error or Warning Logs Related to Security ====
#'' Look for logs related to security software such as antivirus or firewall.
# Use the command:
= Look through users =
  <code>sudo grep -E 'error|warning' /var/log/auth.log</code>  
#'' Use the command <code>sudo getent passwd | grep '/home' | cut -d: -f1</code> to see all users with a home directory
  to view security logs.
#'' Use the command <code>sudo getent passwd | cut -d: -f1</code> to see all users even those without a home directory
 
= Search for suspicious activity: =
==== Check Users ====
#'' Look for repeated failed login attempts from the same source IP.
# Use the command:
#'' Look for logon attempts from unfamiliar locations or at unusual times.
  <code>sudo getent passwd | grep '/home' | cut -d: -f1</code>  
#'' Look for logs indicating changes to security settings or software.
  to see all users with a home directory.
#'' Look for logs indicating new software installations or changes to existing software.
# Use the command:
  <code>sudo getent passwd | cut -d: -f1</code>  
  to see all users, even those without a home directory.


==== Search for Suspicious Activity ====
# Look for repeated failed login attempts from the same source IP.
# Look for logon attempts from unfamiliar locations or at unusual times.
# Check logs indicating changes to security settings or software.
# Look for logs indicating new software installations or changes to existing software.


[[Category:Cybersecurity]]
[[Category:Cybersecurity]]
[[Category:Purple Team]]
[[Category:Purple Team]]
[[Category:Blue Team]]
[[Category:Blue Team]]

Latest revision as of 17:26, 4 December 2024

How to Check and Make Sense of Logs on Different Operating Systems

If you need to go back to the guide, click Cyber Incident Response Guide

Mobile: iOS

Use Analytics & Improvements

  1. Go to Settings > Privacy > Analytics & Improvements.
  2. Select Analytics Data to view system and app logs.

Identify Suspicious Activity

  1. Look for entries such as sysdiagnose or stacks+appName, indicating app crashes or system issues.
  2. Search for terms like privacy, location, or permission to find logs related to privacy settings changes.
  3. Check for any entries with daemon or process indicating background activities.


Mobile: Android

Enable Developer Options

  1. Go to Settings > About phone.
  2. Tap Build number seven times to enable Developer Options.

Access Logs through Developer Options

  1. Go to Settings > System > Developer options.
  2. Scroll to Debugging and select Take bug report or Log viewer.

Check for Suspicious Activity

  1. Look for frequent app crashes or unexpected system behavior in the logs.
  2. Identify any unusual network activities or connection attempts.
  3. Check for logs indicating changes in security settings or permissions granted to unfamiliar apps.
  4. Look for repeated attempts to access secure features or data without authorization.


Windows

Open the Event Viewer

  1. Press the Windows key + R to open the Run dialog box.
  2. Type eventvwr.msc and press Enter.
  3. The Event Viewer will open.

Look for Error or Warning Logs Related to Security

  1. Navigate to Windows Logs > Security.
  2. Sort the logs by Event ID, Level, or Source.
  3. Look for Event IDs:
    • 4624 (successful logon),
    • 4625 (failed logon),
    • 4648 (explicit login).

Search for Suspicious Activity

  1. Look for repeated failed login attempts from the same source IP.
  2. Look for logon attempts from unfamiliar locations or at unusual times.
  3. Look for logs indicating changes to security settings or software.
  4. Look for logs indicating new software installations or changes to existing software.


MacOS

Open Console

  1. Launch the Console application from the Utilities folder within the Applications folder.

Look for Error or Warning Logs Related to Security

  1. Check logs related to security software such as antivirus or firewall.
  2. Search for logs with keywords like error or warning.

Search for Suspicious Activity

  1. Look for repeated failed logon attempts from the same source IP.
  2. Look for logon attempts from unfamiliar locations or at unusual times.
  3. Check logs indicating changes to security settings or software.
  4. Look for logs indicating new software installations or changes to existing software.


Linux

Open Terminal

  1. Launch the Terminal application.

Look for Error or Warning Logs Related to Security

  1. Use the command:
 sudo grep -E 'error|warning' /var/log/auth.log 
 to view security logs.

Check Users

  1. Use the command:
 sudo getent passwd | grep '/home' | cut -d: -f1 
 to see all users with a home directory.
  1. Use the command:
 sudo getent passwd | cut -d: -f1 
 to see all users, even those without a home directory.

Search for Suspicious Activity

  1. Look for repeated failed login attempts from the same source IP.
  2. Look for logon attempts from unfamiliar locations or at unusual times.
  3. Check logs indicating changes to security settings or software.
  4. Look for logs indicating new software installations or changes to existing software.