Security operations · 7 MIN READ · ANDREW BENTLE · MAR 21, 2024 · TAGS: MDR / Tech tools
Here’s your copy of a helpful log guide to make life easier for analysts.
As you can imagine, the Expel security operations center (SOC) uses a lot of logs. So we pulled them all together into a handy quick reference guide for our analysts. Then we decided it might be nice if we shared the list with our readers.
Enjoy.
Web Access Logs
Access logs record the http web requests sent to a web server. They’re the first logs we reach for in the event of a web server compromise. These logs show critical investigate information, like the URI string of requests, the status code of the request (200, 404, 500, etc.), and the requester’s source IP.
Apache Logs
Default location Debian:
/var/log/apache2/access.log
Default location Redhat:
Default location Windows:
Default location Mac:
Default location FreeBSD:
Finding logs in non-default location:
Logging can be configured to write to a non-standard location. You can find that location in the apache configuration files. Inside the config files you see the line CustomLog ${APACHE_LOG_DIR}/access.log combined. This tells you the directory where logs are being written.
For debian look for /etc/apache2/sites-available/000-default.conf
For Redhat look for /etc/httpd/conf/httpd.conf
For Windows look in the Apache install folder for the directories /conf/httpd.conf
For Mac look for /etc/apache2httpd.conf
IIS Logs
Windows Default location:
Finding logs in non-default location:
If IISisn’t logging to the default location you can find the logging location using two IIS config files. You’ll need applicationHost.config from %SystemDrive%\Windows\System32\inetsrv\config\applicationHost.config and you’ll need the Application Pool config file from %SystemDrive%\temp\appPools\<app-pool-name>\<app-pool-name>.config (the application pool you’re looking for should be in the command line arguments of the W3WP.exe process that you’re investigating).
Within the application pool config file look for the log file tag. The line will look something like this:
<logFile logExtFileFlags=”<TRUNCATED>” logFormat=”W3C” directory=”D:\logs” />
The directory field will tell youwhere logs are being written. In this case it’s the D drive at D:\logs.
If your server has more than one app pool it will write separate logs for each pool. You can find the specific log for that app pool with the help of the applicationHost.config file. Look in the file for the site tag that contains the app pool name you want. You want the id value from that tag. It will look something like this:
<site name=”<app-pool-name” id=”7″ serverAutoStart=”true”>
Using the ID value we can now find the log for this app pool in D:\logs. In this case the access logs will be located at D:\logs\W3SVC<id-number>.
Tomcat Logs
Default location Debian:
var/log/tomcat/localhost_access_log.YYY-MM-DD.txt
Default location Windows:
Default location Mac:
Finding logs in non-default location:
If the default directory isn’t being used look for the config file server.xml within the Tomcat install directory. Inside this file you’ll find a class org.apache.catalina.valves.AccessLogValve; the “directory” value will tell you where logs are being written.
Jboss logs
Jboss does not log access logs by default. The access log name is configured when access logs are enabled. Default for all platforms is for the log to be relative to the install location for Jboss “jboss.server.log.dir”. Usually it will look like this:
<JBOSS-install_location>/standalone/log/<custom-name>.log
<JBOSS-install_location>/domain/log/<custom-name>.log
<JBOSS-install_location>\server\default\log\<custom-name.log
Confluence Logs
Default location Linux:
/opt/atlassian/confluence/logs/conf_access_log<date>.log
<confluence-install-location>/logs/conf_access_log<date>.log
Default location Windows:
A typical install location is C:\Program Files\Atlassian\
Finding logs in non-default location:
Under the hood Confluence uses a Tomcat server. The logging config can be found in the same way as Tomcat, the config is by default at the path /opt/confluence/conf/server.xml. Look in the server.xml for the value stored under AccessLogValve.
For Windows you can find the server.xml in the install directory <confluence-install-location>\conf\server.xml.
Nginx Logs
Default location Debian:
Default location Redhat:
Default location Windows:
<nginx-install-location>\logs\access.log
typically the install location is C:\nginx
Finding logs in non-default location:
If the nginx logs aren’t in their default location, then you can check the nginx config. For Linux distros the default location is /etc/nginx/nginx.conf. For Windows the config is located at <nginx-install-location>\conf\nginx.conf. Within the nginx.conf file the logging location should be set under the access_log value.
Windows event logs
Windows event logs can be a treasure trove of forensic information. The security event log Security.evtx is one of the most-used log files in the Expel SOC, but other log files like System.evtx and Application.evtx can sometimes be put to good use.
Security.evtx holds a lot of valuable information, but one of the most common reasons for collecting this log is to get authentication info from event IDs 4624, and 4625.
Event logs
Windows 2000, Windows XP:
Windows 7-11:
Windows Server 2003:
Windows Server 2008 and newer:
Browser History Files
Browser history files can be used to determine what website a malicious file was downloaded from (if it was downloaded through a browser). EDR tools and firewalls don’t always capture the URL or domain name that a file was downloaded, but browser history is an easy way to determine where a user got a file.
Browser history files are simple SQLITE databases that can be opened in free tools like DB Browser for SQLite (DB4S).
Chrome
Windows default location:
Linux default location:
Mac default location:
Edge
Windows default location:
Mac default location:
Firefox
Windows default location:
Linux default location:
Mac default location:
Safari
Mac default location:
Linux Logs
Linux can seem a bit scary and complex to investigate, but when it comes to logging, it’s actually pretty simple. You don’t need any special software, all of these files can be opened in a text editor.
Authentication Logs
Authentication logs show user logons, this can be especially useful for tracking what user had assumed “root” at a given time.
Debian default location:
RedHat default location:
FreeBSD default location:
Syslog / Messages log
The Syslog or Message log file can contain information about Cronjobs, services, deamons, kernel messages, and more. This log collects a little bit of everything.
Debian default location:
RedHat default location:
FreeBSD default location:
Cron Job Logs
Cron is the main scheduling tool that attackers might use to establish persistence on a Linux system. Cron logs can seem a bit superfluous—given that cron is often logged to the Syslog/messages log—but like everything in Linux, cron logging can be highly configured. If you don’t see cron logs in the syslog, then it may be worth checking the dedicated cron log.
Debian default location:
/var/log/cron
var/log/syslog
RedHat default location:
/var/log/cron
/var/log/messages
FreeBSD default location:
/var/cron/log
/var/cron/olog
/var/log/messages
Shell History Logs
Shell history logs are one of the most valuable investigative logs when it comes to linux systems. Shell history records user-run commands and, given how command line heavy linux can be, it’s likely that shell history will record at least some of the actions taken by an attacker.
Bash Shell History
These files are hidden by default, so make sure you enable hidden files when searching for them.
Debian default location:
RedHat default location:
ZSH Shell History
These files are hidden by default, so make sure you enable hidden files when searching for them.
Debian default location:
RedHat default location:
TCSH Shell History
These files are hidden by default, so make sure you enable hidden files when searching for them.
FreeBSD default location:
References:
Apache Logs
- https://www.loggly.com/use-cases/how-to-monitor-your-apache-logs/
- https://sematext.com/blog/apache-logs/#apache-access-logs-location
- https://exampleconfig.com/view/apache-ubuntu20-04-etc-apache2-sites-available-000-default-conf
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/s1-apache-config
- https://httpd.apache.org/docs/2.4/platform/windows.html
Tomcat logs
- https://www.loggly.com/use-cases/monitoring-and-troubleshooting-tomcat-logs/
- https://linuxhint.com/view-tomcat-logs-linux/
- https://sematext.com/blog/tomcat-logs/#:~:text=Tomcat%20Logs%20Location,-The%20location%20of&text=log%20.,%7Bver%7D%5Clogs%5Ccatalina.
JBOSS logs
- https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.2/html/administration_and_configuration_guide/default_log_file_locations
- https://docs.cyberark.com/AAM-CP/10.10/en/Content/CP%20and%20ASCP/Logging-in-JBoss.htm
Confluence logs
- https://confluence.atlassian.com/doc/configure-access-logs-1044780567.html
- https://support.atlassian.com/organization-administration/docs/configure-required-connections-and-upstream-ports/
Nginx logs
- https://docs.splunk.com/Documentation/AddOns/released/NGINX/Setupv2#:~:text=By%20default%2C%20the%20access%20log,%2Fetc%2Fnginx%2Fnginx.
- https://semicolon.dev/webdev/where-is-nginx.conf#:~:text=On%20Windows%20systems%2C%20the%20default,conf.
- https://forum.nginx.org/read.php?11,227324,227370
Browser History
- https://www.foxtonforensics.com/browser-history-examiner/chrome-history-location
- https://www.foxtonforensics.com/browser-history-examiner/microsoft-edge-history-location
- https://www.foxtonforensics.com/browser-history-examiner/firefox-history-location
- https://www.foxtonforensics.com/blog/post/analysing-safari-browser-history
Linux Logs
