How to Search Log Files: Difference between revisions
cats Tag: 2017 source edit |
formatting |
||
Line 1: | Line 1: | ||
'' | ''See [[incident-response-guide.md|incident-response-guide]]'' to return to full steps. | ||
<pre class="toc"></pre> | <pre class="toc"></pre> | ||
== How to Check and Make Sense of Logs on Different Operating Systems == | == How to Check and Make Sense of Logs on Different Operating Systems == | ||
=== Mobile: iOS === | === Mobile: iOS === | ||
= | ==== Use Analytics & Improvements ==== | ||
# | # Go to '''Settings''' > '''Privacy''' > '''Analytics & Improvements'''. | ||
# | # Select '''Analytics Data''' to view system and app logs. | ||
= | |||
# | ==== Identify Suspicious Activity ==== | ||
# | # Look for entries such as <code>sysdiagnose</code> or <code>stacks+appName</code>, indicating app crashes or system issues. | ||
# | # Search for terms like <code>privacy</code>, <code>location</code>, or <code>permission</code> to find logs related to privacy settings changes. | ||
# Check for any entries with <code>daemon</code> or <code>process</code> indicating background activities. | |||
=== Mobile: Android === | === Mobile: Android === | ||
= | ==== Enable Developer Options ==== | ||
# | # Go to '''Settings''' > '''About phone'''. | ||
# | # Tap '''Build number''' seven times to enable Developer Options. | ||
= | |||
# | ==== Access Logs through Developer Options ==== | ||
# | # Go to '''Settings''' > '''System''' > '''Developer options'''. | ||
= | # Scroll to '''Debugging''' and select '''Take bug report''' or '''Log viewer'''. | ||
# | |||
# | ==== Check for Suspicious Activity ==== | ||
# | # Look for frequent app crashes or unexpected system behavior in the logs. | ||
# | # Identify any unusual network activities or connection attempts. | ||
= Open the | # Check for logs indicating changes in security settings or permissions granted to unfamiliar apps. | ||
# | # Look for repeated attempts to access secure features or data without authorization. | ||
# | |||
# | |||
= Look for Error or Warning | === Windows === | ||
#'' | |||
# | ==== Open the Event Viewer ==== | ||
# | # Press the Windows key + R to open the Run dialog box. | ||
# Type <code>eventvwr.msc</code> and press Enter. | |||
= Search for | # The Event Viewer will open. | ||
# | |||
# | ==== Look for Error or Warning Logs Related to Security ==== | ||
# | # Navigate to '''Windows Logs''' > '''Security'''. | ||
# | # Sort the logs by Event ID, Level, or Source. | ||
# Look for Event IDs: | |||
** <code>4624</code> (successful logon), | |||
** <code>4625</code> (failed logon), | |||
** <code>4648</code> (explicit login). | |||
==== Search for Suspicious Activity ==== | |||
# Look for repeated failed login attempts from the same source IP. | |||
# Look for logon attempts from unfamiliar locations or at unusual times. | |||
# Look for logs indicating changes to security settings or software. | |||
# Look for logs indicating new software installations or changes to existing software. | |||
=== MacOS === | === MacOS === | ||
= Open Console | ==== Open Console ==== | ||
# | # Launch the '''Console''' application from the '''Utilities''' folder within the '''Applications''' folder. | ||
= Look for Error or Warning | ==== Look for Error or Warning Logs Related to Security ==== | ||
# | # Check logs related to security software such as antivirus or firewall. | ||
# | # Search for logs with keywords like <code>error</code> or <code>warning</code>. | ||
= Search for | |||
# | ==== Search for Suspicious Activity ==== | ||
# | # Look for repeated failed logon attempts from the same source IP. | ||
# | # Look for logon attempts from unfamiliar locations or at unusual times. | ||
# | # Check logs indicating changes to security settings or software. | ||
# Look for logs indicating new software installations or changes to existing software. | |||
=== Linux === | === Linux === | ||
= Open | ==== Open Terminal ==== | ||
# | # Launch the '''Terminal''' application. | ||
= Look for Error or Warning | |||
# | ==== Look for Error or Warning Logs Related to Security ==== | ||
# Use the command: | |||
= | <code>sudo grep -E 'error|warning' /var/log/auth.log</code> | ||
# | to view security logs. | ||
# | |||
==== Check Users ==== | |||
# Use the command: | |||
<code>sudo getent passwd | grep '/home' | cut -d: -f1</code> | |||
to see all users with a home directory. | |||
# Use the command: | |||
<code>sudo getent passwd | cut -d: -f1</code> | |||
to see all users, even those without a home directory. | |||
==== Search for Suspicious Activity ==== | |||
# Look for repeated failed login attempts from the same source IP. | |||
# Look for logon attempts from unfamiliar locations or at unusual times. | |||
# Check logs indicating changes to security settings or software. | |||
# Look for logs indicating new software installations or changes to existing software. | |||
[[Category:Cybersecurity]] | [[Category:Cybersecurity]] | ||
[[Category:Purple Team]] | [[Category:Purple Team]] | ||
[[Category:Blue Team]] | [[Category:Blue Team]] |
Revision as of 04:27, 18 November 2024
See incident-response-guide to return to full steps.
How to Check and Make Sense of Logs on Different Operating Systems
Mobile: iOS
Use Analytics & Improvements
- Go to Settings > Privacy > Analytics & Improvements.
- Select Analytics Data to view system and app logs.
Identify Suspicious Activity
- Look for entries such as
sysdiagnose
orstacks+appName
, indicating app crashes or system issues. - Search for terms like
privacy
,location
, orpermission
to find logs related to privacy settings changes. - Check for any entries with
daemon
orprocess
indicating background activities.
Mobile: Android
Enable Developer Options
- Go to Settings > About phone.
- Tap Build number seven times to enable Developer Options.
Access Logs through Developer Options
- Go to Settings > System > Developer options.
- Scroll to Debugging and select Take bug report or Log viewer.
Check for Suspicious Activity
- Look for frequent app crashes or unexpected system behavior in the logs.
- Identify any unusual network activities or connection attempts.
- Check for logs indicating changes in security settings or permissions granted to unfamiliar apps.
- Look for repeated attempts to access secure features or data without authorization.
Windows
Open the Event Viewer
- Press the Windows key + R to open the Run dialog box.
- Type
eventvwr.msc
and press Enter. - The Event Viewer will open.
Look for Error or Warning Logs Related to Security
- Navigate to Windows Logs > Security.
- Sort the logs by Event ID, Level, or Source.
- Look for Event IDs:
4624
(successful logon),4625
(failed logon),4648
(explicit login).
Search for Suspicious Activity
- Look for repeated failed login attempts from the same source IP.
- Look for logon attempts from unfamiliar locations or at unusual times.
- Look for logs indicating changes to security settings or software.
- Look for logs indicating new software installations or changes to existing software.
MacOS
Open Console
- Launch the Console application from the Utilities folder within the Applications folder.
Look for Error or Warning Logs Related to Security
- Check logs related to security software such as antivirus or firewall.
- Search for logs with keywords like
error
orwarning
.
Search for Suspicious Activity
- Look for repeated failed logon attempts from the same source IP.
- Look for logon attempts from unfamiliar locations or at unusual times.
- Check logs indicating changes to security settings or software.
- Look for logs indicating new software installations or changes to existing software.
Linux
Open Terminal
- Launch the Terminal application.
Look for Error or Warning Logs Related to Security
- Use the command:
sudo grep -E 'error|warning' /var/log/auth.log
to view security logs.
Check Users
- Use the command:
sudo getent passwd | grep '/home' | cut -d: -f1
to see all users with a home directory.
- Use the command:
sudo getent passwd | cut -d: -f1
to see all users, even those without a home directory.
Search for Suspicious Activity
- Look for repeated failed login attempts from the same source IP.
- Look for logon attempts from unfamiliar locations or at unusual times.
- Check logs indicating changes to security settings or software.
- Look for logs indicating new software installations or changes to existing software.