> For the complete documentation index, see [llms.txt](https://darkcybe.gitbook.io/darkcybe/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://darkcybe.gitbook.io/darkcybe/guides/dfir/evidence-artifacts/event-logs.md).

# Event Logs

A question that is typically raised during and post breach investigation is what event logs should be monitored, collected or enabled. The below list aims to provide a cheat sheet of sorts to highlight the common logs that contain forensic evidence and that often can be ingested into a central point, such as a SIEM, to provide contextual information for alerting.

## Windows Event Logging

Windows event logs are a useful tool in incident response and digital forensics because they provide a record of events that have occurred on a system. These events can include system-level events such as startup and shutdown, as well as application and service-level events. Examining these logs can help identify potential security incidents, troubleshoot issues, and provide evidence for forensic investigations.

<table><thead><tr><th width="167.33333333333331">Log File</th><th>File Path</th><th>Description</th></tr></thead><tbody><tr><td>Security</td><td>%SystemRoot%\System32\Winevt\Logs\Security.evtx</td><td>Contains information about security-related events, such as successful and failed login attempts, access to sensitive resources, and changes to security settings.</td></tr><tr><td>Application</td><td>%SystemRoot%\System32\Winevt\Logs\Application.evtx</td><td>Contains information about events related to applications, such as errors and warnings.</td></tr><tr><td>System</td><td>%SystemRoot%\System32\Winevt\Logs\System.evtx</td><td>Contains information about events related to the operating system, such as hardware and software failures, resource utilization, and system updates.</td></tr><tr><td>DNS Server</td><td>%SystemRoot%\System32\Dns\Dns.log</td><td>Contains information about Domain Name System (DNS) activity, such as requests and responses.</td></tr><tr><td>File Replication Service</td><td>%SystemRoot%\debug\Frs\FrsDiag.log</td><td>Contains information about the File Replication Service (FRS), which is used to replicate files and folders between domain controllers.</td></tr><tr><td>Internet Information Services (IIS)</td><td>%SystemRoot%\System32\LogFiles\W3SVC1\</td><td>Contains information about web server activity, such as requests, responses, and errors. This folder contains multiple log files, including an exYYMMDD.log file for each day, a u_exYYMMDD.log file for each day that contains log data in a different format, and a W3SVC1 folder that contains additional log files.</td></tr><tr><td>PowerShell</td><td>%SystemRoot%\System32\Winevt\Logs\Windows PowerShell.evtx</td><td>Contains information about PowerShell activity, such as script execution and cmdlet usage.</td></tr><tr><td>Windows PowerShell Operational</td><td>%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx</td><td>Contains information about the operational state of PowerShell, such as start and stop events and errors.</td></tr><tr><td>Remote Desktop Services</td><td>%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx</td><td>Contains information about Remote Desktop Services activity, including Remote Desktop Protocol (RDP) connections and disconnections.</td></tr><tr><td>Windows Management Instrumentation</td><td>%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx</td><td>Contains information about WMI activity, including WMI queries and method calls.</td></tr><tr><td>Windows Management Instrumentation Provider Operations</td><td>%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WMI-Operational.evtx</td><td>Contains information about the operational state of WMI providers, including start and stop events and errors.</td></tr><tr><td>Windows Defender log</td><td>C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx</td><td>Contains events related to the Windows Defender antivirus software.</td></tr></tbody></table>

## Unix/Linux Event Logging

Linux event logs are a useful tool in incident response and digital forensics because they provide a record of events that have occurred on a system. These events can include system-level events such as startup and shutdown, as well as application and service-level events. Examining these logs can help identify potential security incidents, troubleshoot issues, and provide evidence for forensic investigations.

<table><thead><tr><th width="149">Log File</th><th>Location</th><th>Description</th></tr></thead><tbody><tr><td>Syslog<br>Messages</td><td><strong>Debian</strong><br><code>/var/log/syslog</code><br><strong>Redhat</strong><br><code>/var/log/messages</code></td><td>General messages and info regarding system operations. Predominately an administrative focused log</td></tr><tr><td>Auth.log<br>Secure</td><td><strong>Debian</strong><br><code>/var/log/auth.log</code><br><strong>Redhat</strong><br><code>/var/log/secure</code></td><td>Authentication logs containing successful and failed logins. sshd process logs are also written here</td></tr><tr><td>Boot.log</td><td><strong>Debian</strong><br><code>/var/log/boot.log</code><br><strong>Redhat</strong><br><code>/var/log/messages</code></td><td>Contains information about the system's boot process, including details on system initialization tasks, service startup, hardware detection, and kernel messages.</td></tr></tbody></table>

## MacOS Event Logging

MacOS event logs are a useful tool in incident response and digital forensics because they provide a record of events that have occurred on a system. These events can include system-level events such as startup and shutdown, as well as application and service-level events. Examining these logs can help identify potential security incidents, troubleshoot issues, and provide evidence for forensic investigations.

<table><thead><tr><th width="207.33333333333331">Log File</th><th>File Path</th><th>Description</th></tr></thead><tbody><tr><td>System log</td><td>/private/var/log/system.log</td><td>Contains events related to system components such as drivers, the kernel, and the startup process.</td></tr><tr><td>Secure log</td><td>/private/var/log/secure.log</td><td>Contains events related to security-related activities such as login and logout events, as well as successful and failed attempts to access resources.</td></tr><tr><td>Application Firewall log</td><td>/private/var/log/appfirewall.log</td><td>Contains events related to applications and services running on the system, including events related to the macOS firewall.</td></tr><tr><td>Setup log</td><td>/private/var/log/install.log</td><td>Contains events related to the installation, removal, and update of software on the system.</td></tr><tr><td>Safari log</td><td>/private/var/log/safari/Safari.log</td><td>Contains events related to the Safari browser.</td></tr><tr><td>MacOS Server log</td><td>/Library/Logs/DiagnosticReports</td><td>Contains events related to MacOS Server.</td></tr></tbody></table>

## Resources

1. [Microsoft documentation on Windows event logs](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-logs-overview)
2. [SANS Institute's guide on using Windows event logs in incident response](https://www.sans.org/reading-room/whitepapers/incident/windows-event-logs-incident-response-34375)
3. [Digital Forensics Solutions' blog post on using Windows event logs in forensic investigations](https://www.digitalforensicssolutions.com/blog/windows-event-logs-in-forensic-investigations/)
4. [Tripwire's blog post on using Windows event logs to detect security breaches](https://www.tripwire.com/state-of-security/security-data-protection/using-windows-event-logs-to-detect-security-breaches/)
5. [TechNet's guide on using the Event Viewer utility in Windows](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/eventvwr)
6. [Digital Forensics Solutions' blog post on using Linux logs in forensic investigations](https://www.digitalforensicssolutions.com/blog/linux-logs-in-forensic-investigations/)
7. [SANS Institute's guide on using Linux logs in incident response](https://www.sans.org/reading-room/whitepapers/incident/using-linux-logs-incident-response-34382)
8. [Plesk - Linux Logs Explained](https://www.plesk.com/blog/featured/linux-logs-explained/)
9. [Forensic Focus - A Linux Forensics Starter Case Study](https://www.forensicfocus.com/articles/a-linux-forensics-starter-case-study/)
10. [Apple's documentation on MacOS logs](https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPHelpDataProviderSpecification/Introduction/Introduction.html)
11. [TechRepublic's tutorial on using the Console application in MacOS](https://www.techrepublic.com/article/how-to-use-console-to-view-logs-on-a-mac/)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://darkcybe.gitbook.io/darkcybe/guides/dfir/evidence-artifacts/event-logs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.