Key Log Types for a Strong SIEM Setup

By /

Listen to this Post

A strong SIEM (Security Information and Event Management) setup relies on collecting and analyzing various types of logs to detect threats and investigate incidents effectively. Here are the key log types every security team should know:

1️⃣ Authentication Logs – Login attempts, account lockouts, and user sessions.
2️⃣ Network Logs – Firewall traffic, DNS queries, and IDS/IPS alerts.
3️⃣ System Logs – OS-level events like errors, reboots, and shutdowns.
4️⃣ Application Logs – App-specific activity and errors (web, DB, email).
5️⃣ Security Device Logs – Antivirus, EDR, DLP, and vulnerability tools.
6️⃣ Cloud Logs – User actions and API events from AWS, Azure, GCP.
7️⃣ Threat Intelligence Logs – Indicators of compromise and threat feed matches.
8️⃣ Audit Logs – Admin actions, data changes, and configuration updates.

You Should Know:

Linux Commands for Log Analysis

– `journalctl -u sshd` – View SSH authentication logs.
– `grep “Failed password” /var/log/auth.log` – Check failed login attempts.
– `sudo ausearch -m USER_LOGIN` – Audit user logins (Linux auditd).
– `tcpdump -i eth0 -w network.pcap` – Capture network traffic for analysis.
– `zcat /var/log/syslog..gz | grep “error”` – Search compressed system logs.

Windows Commands for Log Collection

– `Get-WinEvent -LogName Security | Where-Object {$_.ID -eq 4625}` – Find failed logins.
– `wevtutil qe Security /q:”[System[(EventID=4663)]]”` – Query file access audit logs.
– `netsh firewall show config` – View firewall rules.
– `Get-MpThreatDetection` – Check Windows Defender threat logs.

SIEM Query Examples (Splunk/ELK)

  • Splunk: 
    index=windows EventCode=4625 | stats count by src_ip
  • ELK (KQL): 
    event.dataset: "security" AND event.action: "failed"

Cloud Logging (AWS/Azure/GCP)

  • AWS: 
    aws logs filter-log-events --log-group-name "/aws/cloudtrail" --filter-pattern "{ $.eventName = 'ConsoleLogin' }"
  • Azure: 
    Get-AzLog -StartTime (Get-Date).AddDays(-1) | Where-Object {$_.OperationName -eq "Microsoft.Compute/virtualMachines/write"}
  • GCP: 
    gcloud logging read "resource.type=gce_instance AND logName=projects/[bash]/logs/cloudaudit.googleapis.com"

What Undercode Say:

A well-configured SIEM is the backbone of threat detection. By leveraging authentication, network, system, and cloud logs, security teams can detect anomalies faster. Use Linux (journalctl, auditd), Windows (Get-WinEvent), and cloud-native tools (AWS CloudTrail, Azure Monitor) to automate log collection. Regularly update threat intelligence feeds and correlate logs with known IOCs.

Expected Output:

  • Centralized log storage with real-time alerts.
  • Automated threat detection using predefined rules.
  • Compliance-ready audit trails for investigations.

References:

Reported By: Alexrweyemamu Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: