Log Analysis Cheatsheet: Master SIEM, Threat Hunting & Incident Response Like a Pro + Video

By /

Listen to this Post

Featured Image

Introduction:

Log analysis is the backbone of modern cybersecurity operations, enabling defenders to detect intrusions, investigate anomalies, and respond to incidents in real time. This cheatsheet provides actionable commands, tool configurations, and step-by-step techniques for parsing logs across Linux, Windows, cloud environments, and AI-driven SIEM platforms.

Learning Objectives:

  • Parse and filter system, authentication, and web server logs using native CLI tools (Linux/Windows) and advanced utilities like jq, grep, and awk.
  • Configure centralized logging with rsyslog, NXLog, and ELK stack while implementing log integrity monitoring and forward secrecy.
  • Detect attack patterns (brute-force, webshells, privilege escalation, API abuses) and automate threat hunting with Python, PowerShell, and Sigma rules.

You Should Know:

  1. Linux Log Analysis: From `/var/log` to Real-Time Hunting
    Linux stores everything from authentication to cron jobs in /var/log/. Critical files include `auth.log` (Ubuntu/Debian) or `secure` (RHEL/CentOS) for SSH and sudo attempts, `syslog` for kernel and system messages, and `apache2/access.log` for web traffic.

Step‑by‑step guide – Detecting brute-force SSH attacks:

  • Count failed SSH attempts per IP: 
    sudo grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr
  • Extract successful logins from suspicious IPs: 
    sudo grep "Accepted password" /var/log/auth.log | grep "192.168.1.100"
  • Monitor auth logs in real time: 
    sudo tail -f /var/log/auth.log | grep "Failed|Accepted"
  • For systems with journald: 
    journalctl -u sshd --since "1 hour ago" | grep "Failed password"
  1. Windows Event Log Analysis with PowerShell and Wevtutil
    Windows Event Logs are categorized by channels: Security (event IDs 4624/4625 for logon), System, and Application. Use `Get-WinEvent` for structured queries.

Step‑by‑step guide – Hunting brute-force and privilege escalation:

  • Show all failed logon events (event ID 4625) from last 24 hours: 
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625; StartTime=(Get-Date).AddDays(-1)} | Select-Object TimeCreated, Message
  • Group failed logons by source IP (requires message parsing): 
    Get-WinEvent -LogName Security | Where-Object { $<em>.Id -eq 4625 } | ForEach-Object { $</em>.Properties[bash].Value } | Group-Object | Sort-Object Count -Descending
  • Detect service installation (event ID 7045) which may indicate persistence: 
    Get-WinEvent -LogName System | Where-Object { $_.Id -eq 7045 }
  • Using `wevtutil` to export logs for offline analysis: 
    wevtutil epl Security C:\Logs\Security.evtx
  1. Web Server Logs: Apache, Nginx, and WAF Forensics
    Web logs reveal injection attempts, directory traversal, and bot activity. Combine `grep` with regex to spot SQLi and XSS.

Step‑by‑step guide – Identify SQL injection attempts:

  • Search for union select, `sleep(` or `’ or 1=1` in Apache logs: 
    cat /var/log/apache2/access.log | grep -i "union.select|sleep(|%27%20or%20"
  • Extract all GET/POST parameters with `jq` (if logs are JSON): 
    cat access.json | jq 'select(.request | contains("union")) | {ip: .clientip, uri: .request}'
  • Detect failed login attempts on WordPress admin: 
    cat access.log | grep "POST /wp-login.php" | grep "404|302"
  • For Nginx, using `grep` and `awk` to count bot hits by user-agent: 
    cat /var/log/nginx/access.log | awk -F'"' '{print $6}' | sort | uniq -c | sort -nr | head -10
  1. SIEM Queries & Sigma Rules for Correlation (ELK/Splunk)
    Centralized log management enables cross‑device correlation. Example: Brute-force followed by successful admin logon.
    Step‑by‑step guide – Create a Sigma rule to detect brute-force then success:

– Install `sigmac` to convert Sigma to Lucene (Splunk) or KQL (MS Sentinel): 

git clone https://github.com/SigmaHQ/sigma.git
cd sigma/tools
pip install -r requirements.txt

– Write a Sigma rule brute_then_success.yml: 

title: Multiple Failed Logons Followed by Success
status: experimental
logsource:
product: windows
service: security
detection:
timeframe: 5m
failed:
EventID: 4625
count: 5
success:
EventID: 4624
condition: failed and success

– Convert to Splunk query: 

./sigmac -t splunk brute_then_success.yml

– Example ELK Kibana query (Lucene):
`event.code:4625 OR event.code:4624 | stats count by source.ip, event.code | where count > 5`

5. Cloud Log Analysis: AWS CloudTrail, Azure Monitor, and GCP Logging
Cloud logs track API calls, IAM changes, and suspicious resource creation.

Step‑by‑step guide – detect unauthorized S3 bucket enumeration:

  • AWS CLI: Search CloudTrail for `ListBuckets` and `GetObject` from unusual IPs: 
    aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ListBuckets --query 'Events[?CloudTrailEvent.contains(@, \"123.45.67.89\")]'
  • Azure PowerShell: Query SignIn logs for failed interactive logins followed by MFA bypass attempt: 
    Get-AzureADAuditSignInLogs -Filter "status/errorCode eq 50057" | Where-Object { $_.ClientAppUsed -eq "Other" }
  • GCP: Export logs to BigQuery and run: 
    SELECT timestamp, protopayload_auditlog.methodName, protopayload_auditlog.authenticationInfo.principalEmail FROM `your-project.cloudaudit_googleapis_com_data_access` WHERE methodName LIKE '%compute.instances.insert%'
  1. Log Integrity & Tamper Detection using hashes and remote logging
    Attackers often clear local logs. Protect via remote logging, signed hashes, and immutable storage.
    Step‑by‑step guide – set up remote syslog with TLS:

– On Linux log server (Ubuntu): install `rsyslog` with TLS: 

sudo apt install rsyslog-gnutls

– Generate certificates (self‑signed for test): 

openssl req -x509 -newkey rsa:4096 -keyout ca-key.pem -out ca-cert.pem -days 365 -nodes

– Configure `/etc/rsyslog.conf` to forward all auth logs over TLS (client): 

. @@(o)logserver.example.com:6514;RSYSLOG_SyslogProtocol23Format
$DefaultNetstreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode anon

– For Windows, use `NXLog` to forward Event Logs to SIEM: 

<Extension _syslog>
Module xm_syslog
</Extension>
<Output out>
Module om_tcp
Host logserver.example.com
Port 514
Exec to_syslog();
</Output>
  1. AI-Assisted Log Analysis: Anomaly Detection with Python & ELK ML
    Traditional rules miss zero‑day attacks. Use unsupervised learning to flag outlier logs.
    Step‑by‑step guide – Python script to detect logon time anomalies:

– Extract timestamps of successful logons from auth.log: 

import re
from datetime import datetime
import numpy as np
from sklearn.ensemble import IsolationForest

times = []
with open('/var/log/auth.log') as f:
for line in f:
if 'Accepted password' in line:
match = re.search(r'(\w+\s+\d+\s+\d+:\d+:\d+)', line)
if match:
dt = datetime.strptime(match.group(1), '%b %d %H:%M:%S')
times.append(dt.hour  3600 + dt.minute  60 + dt.second)
 Transform and detect outliers
X = np.array(times).reshape(-1, 1)
model = IsolationForest(contamination=0.05)
outliers = model.fit_predict(X)
unusual_times = [times[bash] for i, val in enumerate(outliers) if val == -1]
print(f"Unusual login seconds after midnight: {unusual_times}")

– Deploy ELK’s Machine Learning job for “rare” log patterns via Kibana UI: create a job on `filebeat-` index detecting high‑frequency API errors.

What Undercode Say:

  • Logs are evidence, not just noise – treat every log entry as a potential forensic artifact. Implement both centralized collection and local hashing to resist tampering.
  • Automate correlation across sources – manual grep scales poorly. Combine SIEM query languages (KQL, Lucene, SPL) with Sigma rules to catch multi‑stage attacks (e.g., brute‑force → lateral movement → data exfiltration).

Analysis: The cheatsheet bridges foundational CLI commands (Linux/Windows) with advanced cloud, AI, and integrity controls. Modern SOC teams must move beyond “grep errors” to proactive hunting using time‑series anomalies and cross‑device correlation. The provided Python + Isolation Forest example demonstrates how even junior analysts can apply unsupervised ML without a full data science stack. For production, integrate these scripts into cron jobs or SIEM automation rules.

Prediction:

As encrypted traffic and ephemeral containers become ubiquitous, traditional log analysis will shift toward behavioral baselining and federated querying across edge devices. Within two years, most mature organizations will replace static threshold alerts with real‑time vector embeddings of log streams, enabling detection of novel zero‑day patterns without prior signatures. However, the fundamental discipline of structured, timestamped, and forward‑secure logging will remain the non‑negotiable foundation – cloud misconfigurations and deleted logs will cause more breaches than any advanced evasion technique.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: