Key Log Types for a Strong SIEM Setup

By /

Listen to this Post

A strong SIEM (Security Information and Event Management) setup relies on collecting and analyzing various types of logs to detect threats and investigate incidents effectively. Here are the key log types every security team should know:

  1. Authentication Logs – Login attempts, account lockouts, and user sessions.
  2. Network Logs – Firewall traffic, DNS queries, and IDS/IPS alerts.
  3. System Logs – OS-level events like errors, reboots, and shutdowns.
  4. Application Logs – App-specific activity and errors (web, DB, email).
  5. Security Device Logs – Antivirus, EDR, DLP, and vulnerability tools.
  6. Cloud Logs – User actions and API events from AWS, Azure, GCP.
  7. Threat Intelligence Logs – Indicators of compromise and threat feed matches.
  8. Audit Logs – Admin actions, data changes, and configuration updates.

You Should Know: Practical SIEM Log Collection & Analysis

1. Authentication Logs (Linux & Windows)

  • Linux (/var/log/auth.log or /var/log/secure) 
    grep "Failed password" /var/log/auth.log  Check failed SSH logins
last -f /var/log/wtmp  View login history
  • Windows (Event Viewer) 
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625}  Failed logins
Get-WinEvent -LogName Security | Where-Object {$_.ID -eq 4720}  Account creations

2. Network Logs

  • Firewall Logs (UFW/Iptables) 
    sudo ufw status verbose  Check firewall rules
sudo tail -f /var/log/ufw.log  Monitor firewall logs
  • DNS Query Logs (Bind9) 
    tail -f /var/log/named/queries.log  Check DNS queries

3. System Logs

  • Linux (/var/log/syslog) 
    dmesg | grep -i error  Check kernel errors
journalctl -p err -b  View system errors since last boot
  • Windows (Event Logs) 
    Get-EventLog -LogName System -EntryType Error  System errors

4. Application Logs

  • Apache/Nginx Logs 
    tail -f /var/log/apache2/access.log  Monitor web traffic
grep "404" /var/log/nginx/error.log  Find missing pages

5. Security Device Logs

  • EDR Logs (Wazuh/OSSEC) 
    tail -f /var/ossec/logs/alerts/alerts.log  Monitor security alerts

6. Cloud Logs (AWS CLI)

aws logs tail /aws/lambda/my-function --follow  Track Lambda logs
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteBucket  Track S3 deletions

7. Threat Intelligence Logs

  • MISP Threat Feeds 
    misp-get -s "ransomware"  Query threat intel

8. Audit Logs (Linux Auditd)

sudo auditctl -l  List active audit rules
ausearch -k "user-mod"  Search for user modifications

What Undercode Say

A well-configured SIEM is critical for detecting anomalies, breaches, and insider threats. Log aggregation from multiple sources (servers, firewalls, cloud) ensures comprehensive visibility. Automate log parsing with tools like Elasticsearch, Logstash, Kibana (ELK) or Splunk for real-time analysis. Always verify log integrity using checksums (sha256sum) and forward logs to a secure, centralized location to prevent tampering.

Expected Output:

  • SIEM alerts on suspicious login attempts.
  • Firewall logs showing blocked intrusion attempts.
  • Cloud logs revealing unauthorized API calls.
  • Audit logs tracking critical system changes.

References:

Reported By: Ouardi Mohamed – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: