Week 3: Logs & Monitoring

Path: Defensive Operations | Module: 3 of 6

Visibility is Key

You cannot defend what you cannot see. Logs are the digital footprints left behind by every action on a system.

1. Types of Logs

  • System Logs: Kernel events, boot messages, hardware errors. (Linux: /var/log/syslog)
  • Authentication Logs: Who logged in, when, and from where? (Linux: /var/log/auth.log, Windows: Security Event Log)
  • Application Logs: Web server access (Apache/Nginx access laws), Database queries.

2. SIEM (Security Information and Event Management)

Reading one log file is easy. Reading 1,000 is impossible. A SIEM aggregates logs from all systems into a single dashboard.

  • Examples: Splunk, ELK Stack (Elasticsearch, Logstash, Kibana), Graylog.

🔬 Lab Exercise: Manual Log Hunting

Objective: Find the intruder.

  1. On your Linux VM, try to SSH into it with the wrong password 5 times.
  2. Open the auth log: sudo less /var/log/auth.log.
  3. Find the entries where "Failed password" appears.
  4. Imagine writing a script to alert you if this happens 100 times in a minute. That's a SIEM!
← Previous Week Next: Cryptography →