Critical Log Review Checklist For Security Incidents

By /

Listen to this Post

Log reviews are essential for identifying security incidents, monitoring system health, and ensuring compliance. Below is a structured checklist to streamline log analysis during security investigations.

1. Identify Relevant Log Sources

  • System Logs: /var/log/syslog, `/var/log/auth.log` (Linux), `Event Viewer` (Windows).
  • Application Logs: Check `/var/log/apache2/access.log` (Apache), `/var/log/nginx/access.log` (Nginx).
  • Security Logs: `/var/log/secure` (RHEL), `/var/log/fail2ban.log` (Fail2Ban).
  • Firewall/IDS Logs: `/var/log/ufw.log` (UFW), `/var/log/suricata/eve.json` (Suricata).

2. Look for Anomalies

  • Failed Logins: 
    grep "Failed password" /var/log/auth.log
  • Brute-Force Attacks: 
    grep "BREAK-IN ATTEMPT" /var/log/auth.log
  • Unusual Process Execution: 
    sudo ausearch -k suspicious-process -i  (Auditd logs)

3. Check for Privilege Escalation

  • Sudo Commands: 
    grep "sudo:" /var/log/auth.log
  • SUID Binaries: 
    find / -perm -4000 -type f 2>/dev/null

4. Review Network Connections

  • Active Connections: 
    netstat -tulnp
  • Historical Connections: 
    journalctl -u NetworkManager --no-pager

5. Verify Log Integrity

  • Check for Log Tampering: 
    ls -la /var/log/ | grep -i "auth|secure"
  • Use Checksums: 
    sha256sum /var/log/syslog

6. Correlate Logs with Timeframes

  • Extract Logs by Time: 
    journalctl --since "2023-10-01" --until "2023-10-02"

7. Automate Log Analysis

  • Use SIEM Tools: 
    sudo apt install ossec-hids  (OSSEC HIDS)
  • Log Aggregation: 
    sudo systemctl start elasticsearch  (ELK Stack)

You Should Know:

  • Detect Hidden Processes: 
    ps aux | grep -i "[kworker]"
  • Check Kernel Logs: 
    dmesg | grep -i "error"
  • Windows Event Log Extraction: 
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625}
  • Extract Deleted Logs (If Logrotate is used): 
    zcat /var/log/auth.log.1.gz

What Undercode Say:

A thorough log review is critical for incident response. Always:
– Centralize logs (Rsyslog, Splunk).
– Monitor in real-time (journalctl -f).
– Use anomaly detection (aide --check).
– Automate alerts (fail2ban-client status).
– Cross-reference logs (Zeek + Suricata).

Expected Output:

  • A structured report with timestamped anomalies.
  • Indicators of Compromise (IOCs).
  • Recommended remediation steps.

Relevant URLs:

References:

Reported By: Alexrweyemamu Critical – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: