Event Logs
What are the common, native Operating System and Application Event Logs used by DFIR Analysts when performing incident investigations?
A question that is typically raised during and post breach investigation is what event logs should be monitored, collected or enabled. The below list aims to provide a cheat sheet of sorts to highlight the common logs that contain forensic evidence and that often can be ingested into a central point, such as a SIEM, to provide contextual information for alerting.
Windows Event Logging
Windows event logs are a useful tool in incident response and digital forensics because they provide a record of events that have occurred on a system. These events can include system-level events such as startup and shutdown, as well as application and service-level events. Examining these logs can help identify potential security incidents, troubleshoot issues, and provide evidence for forensic investigations.
| Log File | File Path | Description |
|---|---|---|
Security | %SystemRoot%\System32\Winevt\Logs\Security.evtx | Contains information about security-related events, such as successful and failed login attempts, access to sensitive resources, and changes to security settings. |
Application | %SystemRoot%\System32\Winevt\Logs\Application.evtx | Contains information about events related to applications, such as errors and warnings. |
System | %SystemRoot%\System32\Winevt\Logs\System.evtx | Contains information about events related to the operating system, such as hardware and software failures, resource utilization, and system updates. |
DNS Server | %SystemRoot%\System32\Dns\Dns.log | Contains information about Domain Name System (DNS) activity, such as requests and responses. |
File Replication Service | %SystemRoot%\debug\Frs\FrsDiag.log | Contains information about the File Replication Service (FRS), which is used to replicate files and folders between domain controllers. |
Internet Information Services (IIS) | %SystemRoot%\System32\LogFiles\W3SVC1\ | Contains information about web server activity, such as requests, responses, and errors. This folder contains multiple log files, including an exYYMMDD.log file for each day, a u_exYYMMDD.log file for each day that contains log data in a different format, and a W3SVC1 folder that contains additional log files. |
PowerShell | %SystemRoot%\System32\Winevt\Logs\Windows PowerShell.evtx | Contains information about PowerShell activity, such as script execution and cmdlet usage. |
Windows PowerShell Operational | %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx | Contains information about the operational state of PowerShell, such as start and stop events and errors. |
Remote Desktop Services | %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx | Contains information about Remote Desktop Services activity, including Remote Desktop Protocol (RDP) connections and disconnections. |
Windows Management Instrumentation | %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx | Contains information about WMI activity, including WMI queries and method calls. |
Windows Management Instrumentation Provider Operations | %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WMI-Operational.evtx | Contains information about the operational state of WMI providers, including start and stop events and errors. |
Windows Defender log | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx | Contains events related to the Windows Defender antivirus software. |
Unix/Linux Event Logging
Linux event logs are a useful tool in incident response and digital forensics because they provide a record of events that have occurred on a system. These events can include system-level events such as startup and shutdown, as well as application and service-level events. Examining these logs can help identify potential security incidents, troubleshoot issues, and provide evidence for forensic investigations.
| Log File | Location | Description |
|---|---|---|
Syslog Messages | Debian
| General messages and info regarding system operations. Predominately an administrative focused log |
Auth.log Secure | Debian
| Authentication logs containing successful and failed logins. sshd process logs are also written here |
Boot.log | Debian
| Contains information about the system's boot process, including details on system initialization tasks, service startup, hardware detection, and kernel messages. |
MacOS Event Logging
MacOS event logs are a useful tool in incident response and digital forensics because they provide a record of events that have occurred on a system. These events can include system-level events such as startup and shutdown, as well as application and service-level events. Examining these logs can help identify potential security incidents, troubleshoot issues, and provide evidence for forensic investigations.
| Log File | File Path | Description |
|---|---|---|
System log | /private/var/log/system.log | Contains events related to system components such as drivers, the kernel, and the startup process. |
Secure log | /private/var/log/secure.log | Contains events related to security-related activities such as login and logout events, as well as successful and failed attempts to access resources. |
Application Firewall log | /private/var/log/appfirewall.log | Contains events related to applications and services running on the system, including events related to the macOS firewall. |
Setup log | /private/var/log/install.log | Contains events related to the installation, removal, and update of software on the system. |
Safari log | /private/var/log/safari/Safari.log | Contains events related to the Safari browser. |
MacOS Server log | /Library/Logs/DiagnosticReports | Contains events related to MacOS Server. |
Resources
Last updated