Blue Team Toolkit
  • 👊Welcome!
  • application-security
    • Application Security
  • DFIR Toolkit
  • Incident Response
    • Containment, Eradication, and Recovery
    • Network Analysis
    • MITRE ATT&CK Framework
    • post-incident
    • preparation
  • network-hardening
    • Basic Network Tools
    • Basic Port Info
    • NMAP
    • Wireshark
  • Phishing Analysis
    • Basic Email Info
    • Email Headers
  • reversing
    • gdb
    • reversing
  • Security Information and Event Monitoring
    • DeepBlueCLI
    • Linux Log Analysis
    • Log Review Approach
    • Network Device Log Analysis
    • Other Tools
    • SIFT Workstation
    • Splunk
    • Syslog
    • Sysmon
    • Web Server Log Analysis
    • Windows Log Analysis
  • Systems Forensics
    • Autopsy
    • Basic File Metadata
    • Browser History Capturer
    • Browser History Viewer
    • Digital Evidence Handling
    • Exiftool
    • File Hashing
    • File Systems
    • forensics-workstation
    • FTK Imager
    • John the Ripper
    • JumpList Explorer
    • KAPE
    • Linux Artifacts
    • Memory File Analysis
    • Prefetch Explorer Command Tool PECmd.exe
    • Scalpel
    • Steghide
    • Sysinternals
    • Volatility
    • Windows Artifacts
    • Windows File Analyzer
    • YARA
  • systems-hardening
    • Active Directory Hardening
    • linux-hardening
    • windows-hardening
Powered by GitBook
On this page
  1. Security Information and Event Monitoring

Log Review Approach

PreviousLinux Log AnalysisNextNetwork Device Log Analysis

Last updated 2 years ago

  • Description: critical log review checklist developed by Dr. Anton Chuvakin and Lenny Zeltser

  • General Approach

    • Identify which log sources and automated tools

    • Copy log records to a single location

    • Minimize “noise” by removing routine, repetitive log entries

    • Determine whether you can rely on logs' time stamps; consider time zone differences (data normalization)

    • Focus on recent changes, failures, errors, status changes, access and administration events, and other unusual events

    • Go backwards in time from now to reconstruct actions after and before the incident

    • Correlate activities across different logs

    • Develop theories about what occurred; explore logs to confirm or disprove

  • Security Log Sources

    • Server and workstation operating system logs

    • Application logs (e.g., web server, database server)

    • Security tool logs (e.g., anti-virus, change detection, intrusion detection/prevention system)

    • Outbound proxy logs and end-user application logs

    • Remember to consider other, non-log sources for security events

  • Typical Log Locations

    • Linux OS and core applications: /var/log

    • Windows OS and core applications: Windows Event Log (Security, System, Application)

    • Network devices: usually logged via Syslog; some use proprietary locations and formats

  • Resouces

Critical Log Review Checklist for Security Incidents
Critical Log Review Checklist for Security Incidents PDF
Open Source Log Analysis Tools