A question that is typically raised during and post breach investigation is what event logs should be monitored, collected or enabled. The below list aims to provide a cheat sheet of sorts to highlight the common logs that contain forensic evidence and that often can be ingested into a central point, such as a SIEM, to provide contextual information for alerting.
Windows Event Logging
Windows event logs are a useful tool in incident response and digital forensics because they provide a record of events that have occurred on a system. These events can include system-level events such as startup and shutdown, as well as application and service-level events. Examining these logs can help identify potential security incidents, troubleshoot issues, and provide evidence for forensic investigations.
| Log File | File Path | Description |
|---|---|---|
| Security | %SystemRoot%\System32\Winevt\Logs\Security.evtx | Contains information about security-related events, such as successful and failed login attempts, access to sensitive resources, and changes to security settings. |
| Application | %SystemRoot%\System32\Winevt\Logs\Application.evtx | Contains information about events related to applications, such as errors and warnings. |
| System | %SystemRoot%\System32\Winevt\Logs\System.evtx | Contains information about events related to the operating system, such as hardware and software failures, resource utilization, and system updates. |
| DNS Server | %SystemRoot%\System32\Dns\Dns.log | Contains information about Domain Name System (DNS) activity, such as requests and responses. |
| File Replication Service | %SystemRoot%\debug\Frs\FrsDiag.log | Contains information about the File Replication Service (FRS), which is used to replicate files and folders between domain controllers. |
| Internet Information Services (IIS) | %SystemRoot%\System32\LogFiles\W3SVC1\ | Contains information about web server activity, such as requests, responses, and errors. This folder contains multiple log files, including an exYYMMDD.log file for each day, a u_exYYMMDD.log file for each day that contains log data in a different format, and a W3SVC1 folder that contains additional log files. |
| PowerShell | %SystemRoot%\System32\Winevt\Logs\Windows PowerShell.evtx | Contains information about PowerShell activity, such as script execution and cmdlet usage. |
| Windows PowerShell Operational | %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx | Contains information about the operational state of PowerShell, such as start and stop events and errors. |
| Remote Desktop Services | %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx | Contains information about Remote Desktop Services activity, including Remote Desktop Protocol (RDP) connections and disconnections. |
| Windows Management Instrumentation | %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx | Contains information about WMI activity, including WMI queries and method calls. |
| Windows Management Instrumentation Provider Operations | %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WMI-Operational.evtx | Contains information about the operational state of WMI providers, including start and stop events and errors. |
| Windows Defender log | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx | Contains events related to the Windows Defender antivirus software. |
Unix/Linux Event Logging
Linux event logs are a useful tool in incident response and digital forensics because they provide a record of events that have occurred on a system. These events can include system-level events such as startup and shutdown, as well as application and service-level events. Examining these logs can help identify potential security incidents, troubleshoot issues, and provide evidence for forensic investigations.
| Log File | Location | Description | Evidence | References |
|---|---|---|---|---|
| Syslog Messages | Debian /var/log/syslog Redhat /var/log/messages | General messages and info regarding system operations. Predominately an administrative focused log | - Plesk - Linux Logs Explained | |
| Auth.log Secure | Debian /var/log/auth.log Redhat /var/log/secure | Authentication logs containing successful and failed logins. sshd process logs are also written here | - Plesk - Linux Logs Explained - Forensic Focus - A Linux Forensics Starter Case Study | |
| Boot.log |
MacOS Event Logging
MacOS event logs are a useful tool in incident response and digital forensics because they provide a record of events that have occurred on a system. These events can include system-level events such as startup and shutdown, as well as application and service-level events. Examining these logs can help identify potential security incidents, troubleshoot issues, and provide evidence for forensic investigations.
| Log File | File Path | Description |
|---|---|---|
| System log | /private/var/log/system.log | Contains events related to system components such as drivers, the kernel, and the startup process. |
| Secure log | /private/var/log/secure.log | Contains events related to security-related activities such as login and logout events, as well as successful and failed attempts to access resources. |
| Application Firewall log | /private/var/log/appfirewall.log | Contains events related to applications and services running on the system, including events related to the macOS firewall. |
| Setup log | /private/var/log/install.log | Contains events related to the installation, removal, and update of software on the system. |
| Safari log | /private/var/log/safari/Safari.log | Contains events related to the Safari browser. |
| MacOS Server log | /Library/Logs/DiagnosticReports | Contains events related to MacOS Server. |
References
- Microsoft documentation on Windows event logs
- SANS Institute’s guide on using Windows event logs in incident response
- Digital Forensics Solutions’ blog post on using Windows event logs in forensic investigations
- Tripwire’s blog post on using Windows event logs to detect security breaches
- TechNet’s guide on using the Event Viewer utility in Windows
- Digital Forensics Solutions’ blog post on using Linux logs in forensic investigations
- SANS Institute’s guide on using Linux logs in incident response
- Apple’s documentation on MacOS logs
- TechRepublic’s tutorial on using the Console application in MacOS