How to Search Log Files

Revision as of 12:53, 4 October 2024 by Sac (talk | contribs) (cats)

see incident-response-guide to return to full steps


How to Check and Make Sense of Logs on Different Operating Systems

Mobile: iOS

Use Analytics & Improvements:

  1. Go to Settings > Privacy > Analytics & Improvements.
  2. Select Analytics Data to view system and app logs.

Identify Suspicious Activity:

  1. Look for entries such as sysdiagnose, stacks+appName, indicating app crashes or system issues.
  2. Search for terms like privacy, location, permission to find logs related to privacy settings changes.
  3. Check for any entries with daemon or process that indicate background activities.

Mobile: Android

Enable Developer Options:

  1. Go to Settings > About phone.
  2. Tap Build number seven times to enable Developer Options.

Access Logs through Developer Options:

  1. Go to Settings > System > Developer options.
  2. Scroll to Debugging and select Take bug report or Log viewer.

Check for Suspicious Activity:

  1. Look for frequent app crashes or unexpected system behavior in the logs.
  2. Identify any unusual network activities or connection attempts.
  3. Check for logs indicating changes in security settings or permissions granted to unfamiliar apps.
  4. Look for repeated attempts to access secure features or data without authorization. ### Windows

Open the Event Viewer:

  1. Press the Windows key + R to open the Run dialog box.
  2. Type eventvwr.msc and press Enter.
  3. The Event Viewer will open.

Look for Error or Warning logs related to security:

  1. Navigate to Windows Logs > Security.
  2. Sort the logs by Event ID, Level, or Source.
  3. Look for Event IDs 4624 (successful logon), 4625 (failed logon), and 4648 (explicit login).
  4. Look for Warnings or Error logs related to security software such as antivirus or firewall.

Search for suspicious activity:

  1. Look for repeated failed login attempts from the same source IP.
  2. Look for logon attempts from unfamiliar locations or at unusual times.
  3. Look for logs indicating changes to security settings or software.
  4. Look for logs indicating new software installations or changes to existing software.

MacOS

Open Console:

  1. Launch the Console application from the Utilities folder within the Applications folder.
  2. ' The Console will open.

Look for Error or Warning logs related to security:

  1. Look for logs related to security software such as antivirus or firewall.
  2. Look for logs with the keywords error or warning.

Search for suspicious activity:

  1. Look for repeated failed logon attempts from the same source IP.
  2. Look for logon attempts from unfamiliar locations or at unusual times.
  3. Look for logs indicating changes to security settings or software.
  4. Look for logs indicating new software installations or changes to existing software.

Linux

Open Terminal:

  1. Launch the Terminal application.

Look for Error or Warning logs related to security:

  1. Use the command sudo grep -E 'error|warning' /var/log/auth.log to view security logs.
  2. Look for logs related to security software such as antivirus or firewall.

Look through users

  1. Use the command sudo getent passwd | grep '/home' | cut -d: -f1 to see all users with a home directory
  2. Use the command sudo getent passwd | cut -d: -f1 to see all users even those without a home directory

Search for suspicious activity:

  1. Look for repeated failed login attempts from the same source IP.
  2. Look for logon attempts from unfamiliar locations or at unusual times.
  3. Look for logs indicating changes to security settings or software.
  4. Look for logs indicating new software installations or changes to existing software.