Network Device Log Analysis

  • Description: list of items to consider for network device forensic analysis

  • What to scrutinize

    • Look at both inbound and outbound activities.

  • Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality:

    • Traffic allowed on firewall: “Built … connection”, “access-list … permitted”

    • Traffic blocked on firewall: “access-list … denied”, “deny inbound”, “Deny … by”

    • Bytes transferred (large files?): “Teardown TCP connection … duration … bytes …”

    • Bandwidth and protocol usage: “limit … exceeded”, “CPU utilization”

    • Detected attack activity: “attack from”

    • User account changes: “user added”, “user deleted”, “User priv level changed”

    • Administrator access: “AAA user …”, “User … locked out”, “login failed”

Last updated