Event Logs
What are the common, native Operating System and Application Event Logs used by DFIR Analysts when performing incident investigations?
A question that is typically raised during and post breach investigation is what event logs should be monitored, collected or enabled. The below list aims to provide a cheat sheet of sorts to highlight the common logs that contain forensic evidence and that often can be ingested into a central point, such as a SIEM, to provide contextual information for alerting.
Windows Event Logging
Windows event logs are a useful tool in incident response and digital forensics because they provide a record of events that have occurred on a system. These events can include system-level events such as startup and shutdown, as well as application and service-level events. Examining these logs can help identify potential security incidents, troubleshoot issues, and provide evidence for forensic investigations.
Security
%SystemRoot%\System32\Winevt\Logs\Security.evtx
Contains information about security-related events, such as successful and failed login attempts, access to sensitive resources, and changes to security settings.
Application
%SystemRoot%\System32\Winevt\Logs\Application.evtx
Contains information about events related to applications, such as errors and warnings.
System
%SystemRoot%\System32\Winevt\Logs\System.evtx
Contains information about events related to the operating system, such as hardware and software failures, resource utilization, and system updates.
DNS Server
%SystemRoot%\System32\Dns\Dns.log
Contains information about Domain Name System (DNS) activity, such as requests and responses.
File Replication Service
%SystemRoot%\debug\Frs\FrsDiag.log
Contains information about the File Replication Service (FRS), which is used to replicate files and folders between domain controllers.
Internet Information Services (IIS)
%SystemRoot%\System32\LogFiles\W3SVC1\
Contains information about web server activity, such as requests, responses, and errors. This folder contains multiple log files, including an exYYMMDD.log file for each day, a u_exYYMMDD.log file for each day that contains log data in a different format, and a W3SVC1 folder that contains additional log files.
PowerShell
%SystemRoot%\System32\Winevt\Logs\Windows PowerShell.evtx
Contains information about PowerShell activity, such as script execution and cmdlet usage.
Windows PowerShell Operational
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx
Contains information about the operational state of PowerShell, such as start and stop events and errors.
Remote Desktop Services
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
Contains information about Remote Desktop Services activity, including Remote Desktop Protocol (RDP) connections and disconnections.
Windows Management Instrumentation
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx
Contains information about WMI activity, including WMI queries and method calls.
Windows Management Instrumentation Provider Operations
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WMI-Operational.evtx
Contains information about the operational state of WMI providers, including start and stop events and errors.
Windows Defender log
C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx
Contains events related to the Windows Defender antivirus software.
Unix/Linux Event Logging
Linux event logs are a useful tool in incident response and digital forensics because they provide a record of events that have occurred on a system. These events can include system-level events such as startup and shutdown, as well as application and service-level events. Examining these logs can help identify potential security incidents, troubleshoot issues, and provide evidence for forensic investigations.
Syslog Messages
Debian
/var/log/syslog
Redhat
/var/log/messages
General messages and info regarding system operations. Predominately an administrative focused log
Auth.log Secure
Debian
/var/log/auth.log
Redhat
/var/log/secure
Authentication logs containing successful and failed logins. sshd process logs are also written here
Boot.log
Debian
/var/log/boot.log
Redhat
/var/log/messages
Contains information about the system's boot process, including details on system initialization tasks, service startup, hardware detection, and kernel messages.
MacOS Event Logging
MacOS event logs are a useful tool in incident response and digital forensics because they provide a record of events that have occurred on a system. These events can include system-level events such as startup and shutdown, as well as application and service-level events. Examining these logs can help identify potential security incidents, troubleshoot issues, and provide evidence for forensic investigations.
System log
/private/var/log/system.log
Contains events related to system components such as drivers, the kernel, and the startup process.
Secure log
/private/var/log/secure.log
Contains events related to security-related activities such as login and logout events, as well as successful and failed attempts to access resources.
Application Firewall log
/private/var/log/appfirewall.log
Contains events related to applications and services running on the system, including events related to the macOS firewall.
Setup log
/private/var/log/install.log
Contains events related to the installation, removal, and update of software on the system.
Safari log
/private/var/log/safari/Safari.log
Contains events related to the Safari browser.
MacOS Server log
/Library/Logs/DiagnosticReports
Contains events related to MacOS Server.
Resources
Last updated